Protect you computer and your data


Network Security - NIC-Based Intrusion Detection Systems

Overviewintent. It can only signal that some
The goal of an intrusion detectionevent is unusual, but not necessarily
system is to detect inappropriate,hostile, thus generating false alarms.
incorrect, and unusual activity on aSignature detection methods are better
network or on the hosts belonging to aunderstood and widely applied. They are
local network by monitoring networkused in both host based systems, such as
activity. To determine if an attack hasvirus detectors, and in network based
occurred or if one has been attemptedsystems such as SNORT and BRO. These
typically requires sifting through hugesystems use a set of rules encoding
amounts of data (gathered from theknowledge gleaned from security experts
network, host or file system) lookingto test files or network traffic for
for clues of suspicious activity. Therepatterns known to occur in attacks. A
are two general approaches to thislimitation of these systems is that as
problem -- signature detection (alsonew vulnerabilities or attacks are
known as misuse detection), where onediscovered, the rule set must be
looks for patterns of well-knownmanually updated. Another disadvantage
attacks, and anomaly detection, thatis that minor variations in attack
looks for deviations from normalmethods can often defeat such systems.
behavior.Anomaly detection is a harder problem
Most work on signature and anomalythan signature detection because while
detection has relied on detectingsignatures of attacks can be very
intrusions at the level of the hostprecise, what is considered normal is
processor. A problem with that approachmore abstract and ambiguous. Rather than
is that even if intrusion activity isfinding rules that characterize attacks,
detected, one is often unable to preventone attempts to find rules that
the attack from disrupting the systemcharacterize normal behavior. Since what
and over utilizing the system CPU (e.g.is considered normal could vary across
in the case of denial-of-servicedifferent environments, a distinct model
attacks).of normalcy can be learned individually.
As an alternative to relying on theMuch of the research in anomaly
host's CPU to detect intrusions there isdetection uses the approach of modeling
growing interest in utilizing the NICnormal behavior from a (presumably)
(network interface card) as part of thisattack-free training set. Because we
process, too. The primary role of NICscannot predict all possible non-hostile
in computer systems is to move databehavior, false alarms are inevitable.
between devices on the network. AResearchers found that when a vulnerable
natural extension to this role would beUNIX system program or server is
to actually police the packets forwardedattacked (for example, using a buffer
in each direction by examining packetoverflow to open a root shell), that the
headers and simply not forwardingprogram makes sequences of system calls
suspicious packets.that differ from the sequences found
Recently there has been a fair amount ofunder normal operation.
activity in the area of NIC-basedCurrent network anomaly detection
computing. Related to the work onsystems such as NIDES , ADAM , and SPADE
NIC-based intrusion detection systems ismodel only features of the network and
the use of NICs for firewall security.transport layer, such as port numbers,
The idea is to embed firewall-likeIP addresses, and TCP flags. Models
security at the NIC level. Firewallbuilt with these features could detect
functionality, such as packet filtering,probes (such as port scans) and some
packet auditing, and support fordenial of service (DOS) attacks on the
multi-tiered security levels, has beenTCP/IP stack, but would not detect
proposed and, actually, commercializedattacks of the type where the exploit
in 3Com's embedded firewall.code is transmitted to a public server
Rationalein the application payload. Most current
The rationale for coupling NIC-basedanomaly detectors use a stationary
intrusion detection with conventionalmodel, where the probability of an event
host-based intrusion detection is baseddepends on its average rate during
on the following points:training, and does not vary with time.
· Functions such as signature- andWhile most research in intrusion
anomaly-based packet classification candetection has focused on either
be performed on the NIC, which has itssignature detection or anomaly
own processor and memory. This makes itdetection, most researchers have
virtually impossible to bypass or torealized that the two models must work
tamper with (as compared withhand-in-hand to be most effective.
software-based systems that rely on theResults
host operating system).The quantitative improvements that were
· If the host is loaded with otherobserved for NIC-based IDS when tested
programs running simultaneously (withagainst Host-based IDS can be attributed
the intrusion detection software), thento the fact the operating system of the
an intrusion detection system thathost does not have to be interrupted
relies on host processing may be slowedwith the detection process. Thus on
down, thereby adversely affecting theheavily loaded hosts admissible network
bandwidth available for networktraffic proceeds at a consistent rate
transmissions. A NIC-based strategy willprovided the computational and memory
not be affected by the load on the host.resources of the NIC are not stretched.
· With centralized intrusion detectionThe benefit of having the NIC do the
systems one encounters a problempolicing is that it can actually prevent
associated with scalability -- however,network-based intrusions from wrecking
this is not the case with NIC-basedhavoc on host systems -- since the
intrusion detection. Each individualintrusive packet, if caught, never
NIC can handle the in-bound andreaches the host operating system. In
out-bound traffic of the particulareffect, the NIC acts as a basic shield
processor/local area network it isfor the host. If the NIC cannot catch up
connected with, thus effectivelywith the rate the packets are arriving,
distributing the work load.it can begin dropping the packets as
· NIC-based strategies provide betterthis may be indicative of a
coverage and functional separation sincedenial-of-service attack. If the NIC
internal NICs can detect portscans whilewere to become overwhelmed by a such an
NICs at the firewall can detectattack, the host would be spared from
host-scans.it. It is preferable to sacrifice only
· The NIC-based scheme is flexible,the NIC to the attack rather than the
dynamically adaptive, and can work inentire host machine. However, from a
conjunction with existing host-basedtechnology perspective we are not far
intrusion detection systems. Theaway from 1GHz NIC processors (with
host-based intrusion detection systemappropriately larger memory). With those
can download new rules/signatures intoprojected systems one can anticipate
the NIC on the fly, making the detectionthat NIC-based intrusion detection will
process adaptive.do better both from a quantitative
The Challengestandpoint and from a a qualitative
The current disadvantage to NIC-basedstandpoint (as less restrictive and more
intrusion detection is that processingrobust algorithms may be employed).
capability on the NIC is much slower andFinal Comments
the memory sub-system is much smallerLast year CyberGuard Corp. announced the
when compared with the host. The task ofavailability of the SnapGear PCI635, an
implementing algorithms on the NICembedded firewall network card that fits
presents several new challenges. Forinto standard peripheral slots in PC
example, NICs typically are not capabledesktops and servers. The card allows
of performing floating point operations.deployment of advanced network security
As a result, algorithms implemented forfunctions, such as virtual private
the NIC are forced to resort tonetwork and firewall and intrusion
estimates based on fixed-pointdetection, that protect individual
operations. There is also a need toservers and desktops from internal and
limit the impact on bandwidth andexternal threats. The PCI635 can also be
latency for normal, non-intrusiveconfigured to prevent desktop users from
messages. So, the challenge becomes howtampering with security settings,
best to use the NIC's processingfurther reducing the threat of security
capabilities for intrusion detection.breaches from people on the internal
IDS Algorithmsnetwork.
There are two general approaches to theBecause this is a NIC-based firewall/VPN
problem of intrusion detection:IDS device that is independent of the
signature detection (also known ashost, the PCI635 makes the desktop
misuse detection), where one looks forsystem immune to Windows vulnerability
patterns that signal well-known attacks,exploits. This is important since
and anomaly detection, that looks forsoftware-based security solutions can be
deviations from normal behavior.rendered useless if the OS is exploited,
Signature detection works reliably oncompromising the computer and
known attacks, but has the obviouspotentially the internal network. The
disadvantage of not being able to detectintrusion detection system (IDS) is
new attacks. Though anomaly detectionbased on Snort and increases security by
can detect novel attacks, it has theidentifying known security attacks.
drawback of not being able to discern



1 A B C 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105