| Overview | | | | intent. It can only signal that some |
| The goal of an intrusion detection | | | | event is unusual, but not necessarily |
| system is to detect inappropriate, | | | | hostile, thus generating false alarms. |
| incorrect, and unusual activity on a | | | | Signature detection methods are better |
| network or on the hosts belonging to a | | | | understood and widely applied. They are |
| local network by monitoring network | | | | used in both host based systems, such as |
| activity. To determine if an attack has | | | | virus detectors, and in network based |
| occurred or if one has been attempted | | | | systems such as SNORT and BRO. These |
| typically requires sifting through huge | | | | systems use a set of rules encoding |
| amounts of data (gathered from the | | | | knowledge gleaned from security experts |
| network, host or file system) looking | | | | to test files or network traffic for |
| for clues of suspicious activity. There | | | | patterns known to occur in attacks. A |
| are two general approaches to this | | | | limitation of these systems is that as |
| problem -- signature detection (also | | | | new vulnerabilities or attacks are |
| known as misuse detection), where one | | | | discovered, the rule set must be |
| looks for patterns of well-known | | | | manually updated. Another disadvantage |
| attacks, and anomaly detection, that | | | | is that minor variations in attack |
| looks for deviations from normal | | | | methods can often defeat such systems. |
| behavior. | | | | Anomaly detection is a harder problem |
| Most work on signature and anomaly | | | | than signature detection because while |
| detection has relied on detecting | | | | signatures of attacks can be very |
| intrusions at the level of the host | | | | precise, what is considered normal is |
| processor. A problem with that approach | | | | more abstract and ambiguous. Rather than |
| is that even if intrusion activity is | | | | finding rules that characterize attacks, |
| detected, one is often unable to prevent | | | | one attempts to find rules that |
| the attack from disrupting the system | | | | characterize normal behavior. Since what |
| and over utilizing the system CPU (e.g. | | | | is considered normal could vary across |
| in the case of denial-of-service | | | | different environments, a distinct model |
| attacks). | | | | of normalcy can be learned individually. |
| As an alternative to relying on the | | | | Much of the research in anomaly |
| host's CPU to detect intrusions there is | | | | detection uses the approach of modeling |
| growing interest in utilizing the NIC | | | | normal behavior from a (presumably) |
| (network interface card) as part of this | | | | attack-free training set. Because we |
| process, too. The primary role of NICs | | | | cannot predict all possible non-hostile |
| in computer systems is to move data | | | | behavior, false alarms are inevitable. |
| between devices on the network. A | | | | Researchers found that when a vulnerable |
| natural extension to this role would be | | | | UNIX system program or server is |
| to actually police the packets forwarded | | | | attacked (for example, using a buffer |
| in each direction by examining packet | | | | overflow to open a root shell), that the |
| headers and simply not forwarding | | | | program makes sequences of system calls |
| suspicious packets. | | | | that differ from the sequences found |
| Recently there has been a fair amount of | | | | under normal operation. |
| activity in the area of NIC-based | | | | Current network anomaly detection |
| computing. Related to the work on | | | | systems such as NIDES , ADAM , and SPADE |
| NIC-based intrusion detection systems is | | | | model only features of the network and |
| the use of NICs for firewall security. | | | | transport layer, such as port numbers, |
| The idea is to embed firewall-like | | | | IP addresses, and TCP flags. Models |
| security at the NIC level. Firewall | | | | built with these features could detect |
| functionality, such as packet filtering, | | | | probes (such as port scans) and some |
| packet auditing, and support for | | | | denial of service (DOS) attacks on the |
| multi-tiered security levels, has been | | | | TCP/IP stack, but would not detect |
| proposed and, actually, commercialized | | | | attacks of the type where the exploit |
| in 3Com's embedded firewall. | | | | code is transmitted to a public server |
| Rationale | | | | in the application payload. Most current |
| The rationale for coupling NIC-based | | | | anomaly detectors use a stationary |
| intrusion detection with conventional | | | | model, where the probability of an event |
| host-based intrusion detection is based | | | | depends on its average rate during |
| on the following points: | | | | training, and does not vary with time. |
| · Functions such as signature- and | | | | While most research in intrusion |
| anomaly-based packet classification can | | | | detection has focused on either |
| be performed on the NIC, which has its | | | | signature detection or anomaly |
| own processor and memory. This makes it | | | | detection, most researchers have |
| virtually impossible to bypass or to | | | | realized that the two models must work |
| tamper with (as compared with | | | | hand-in-hand to be most effective. |
| software-based systems that rely on the | | | | Results |
| host operating system). | | | | The quantitative improvements that were |
| · If the host is loaded with other | | | | observed for NIC-based IDS when tested |
| programs running simultaneously (with | | | | against Host-based IDS can be attributed |
| the intrusion detection software), then | | | | to the fact the operating system of the |
| an intrusion detection system that | | | | host does not have to be interrupted |
| relies on host processing may be slowed | | | | with the detection process. Thus on |
| down, thereby adversely affecting the | | | | heavily loaded hosts admissible network |
| bandwidth available for network | | | | traffic proceeds at a consistent rate |
| transmissions. A NIC-based strategy will | | | | provided the computational and memory |
| not be affected by the load on the host. | | | | resources of the NIC are not stretched. |
| · With centralized intrusion detection | | | | The benefit of having the NIC do the |
| systems one encounters a problem | | | | policing is that it can actually prevent |
| associated with scalability -- however, | | | | network-based intrusions from wrecking |
| this is not the case with NIC-based | | | | havoc on host systems -- since the |
| intrusion detection. Each individual | | | | intrusive packet, if caught, never |
| NIC can handle the in-bound and | | | | reaches the host operating system. In |
| out-bound traffic of the particular | | | | effect, the NIC acts as a basic shield |
| processor/local area network it is | | | | for the host. If the NIC cannot catch up |
| connected with, thus effectively | | | | with the rate the packets are arriving, |
| distributing the work load. | | | | it can begin dropping the packets as |
| · NIC-based strategies provide better | | | | this may be indicative of a |
| coverage and functional separation since | | | | denial-of-service attack. If the NIC |
| internal NICs can detect portscans while | | | | were to become overwhelmed by a such an |
| NICs at the firewall can detect | | | | attack, the host would be spared from |
| host-scans. | | | | it. It is preferable to sacrifice only |
| · The NIC-based scheme is flexible, | | | | the NIC to the attack rather than the |
| dynamically adaptive, and can work in | | | | entire host machine. However, from a |
| conjunction with existing host-based | | | | technology perspective we are not far |
| intrusion detection systems. The | | | | away from 1GHz NIC processors (with |
| host-based intrusion detection system | | | | appropriately larger memory). With those |
| can download new rules/signatures into | | | | projected systems one can anticipate |
| the NIC on the fly, making the detection | | | | that NIC-based intrusion detection will |
| process adaptive. | | | | do better both from a quantitative |
| The Challenge | | | | standpoint and from a a qualitative |
| The current disadvantage to NIC-based | | | | standpoint (as less restrictive and more |
| intrusion detection is that processing | | | | robust algorithms may be employed). |
| capability on the NIC is much slower and | | | | Final Comments |
| the memory sub-system is much smaller | | | | Last year CyberGuard Corp. announced the |
| when compared with the host. The task of | | | | availability of the SnapGear PCI635, an |
| implementing algorithms on the NIC | | | | embedded firewall network card that fits |
| presents several new challenges. For | | | | into standard peripheral slots in PC |
| example, NICs typically are not capable | | | | desktops and servers. The card allows |
| of performing floating point operations. | | | | deployment of advanced network security |
| As a result, algorithms implemented for | | | | functions, such as virtual private |
| the NIC are forced to resort to | | | | network and firewall and intrusion |
| estimates based on fixed-point | | | | detection, that protect individual |
| operations. There is also a need to | | | | servers and desktops from internal and |
| limit the impact on bandwidth and | | | | external threats. The PCI635 can also be |
| latency for normal, non-intrusive | | | | configured to prevent desktop users from |
| messages. So, the challenge becomes how | | | | tampering with security settings, |
| best to use the NIC's processing | | | | further reducing the threat of security |
| capabilities for intrusion detection. | | | | breaches from people on the internal |
| IDS Algorithms | | | | network. |
| There are two general approaches to the | | | | Because this is a NIC-based firewall/VPN |
| problem of intrusion detection: | | | | IDS device that is independent of the |
| signature detection (also known as | | | | host, the PCI635 makes the desktop |
| misuse detection), where one looks for | | | | system immune to Windows vulnerability |
| patterns that signal well-known attacks, | | | | exploits. This is important since |
| and anomaly detection, that looks for | | | | software-based security solutions can be |
| deviations from normal behavior. | | | | rendered useless if the OS is exploited, |
| Signature detection works reliably on | | | | compromising the computer and |
| known attacks, but has the obvious | | | | potentially the internal network. The |
| disadvantage of not being able to detect | | | | intrusion detection system (IDS) is |
| new attacks. Though anomaly detection | | | | based on Snort and increases security by |
| can detect novel attacks, it has the | | | | identifying known security attacks. |
| drawback of not being able to discern | | | | |