Protect you computer and your data


Network Security - NIC-Based Intrusion Detection Systems

Overviewattacks. Though anomaly detection can detect
novel attacks, it has the drawback of not
The goal of an intrusion detection system isbeing able to discern intent. It can only
to detect inappropriate, incorrect, andsignal that some event is unusual, but not
unusual activity on a network or on the hostsnecessarily hostile, thus generating false
belonging to a local network by monitoringalarms.
network activity. To determine if an attack
has occurred or if one has been attemptedSignature detection methods are better
typically requires sifting through hugeunderstood and widely applied. They are used
amounts of data (gathered from the network,in both host based systems, such as virus
host or file system) looking for clues ofdetectors, and in network based systems such
suspicious activity. There are two generalas SNORT and BRO. These systems use a set of
approaches to this problem -- signaturerules encoding knowledge gleaned from
detection (also known as misuse detection),security experts to test files or network
where one looks for patterns of well-knowntraffic for patterns known to occur in
attacks, and anomaly detection, that looksattacks. A limitation of these systems is
for  deviations  from  normal  behavior.that as new vulnerabilities or attacks are
discovered, the rule set must be manually
Most work on signature and anomaly detectionupdated. Another disadvantage is that minor
has relied on detecting intrusions at thevariations in attack methods can often defeat
level of the host processor. A problem withsuch  systems.
that approach is that even if intrusion
activity is detected, one is often unable toAnomaly detection is a harder problem than
prevent the attack from disrupting the systemsignature detection because while signatures
and over utilizing the system CPU (e.g. inof attacks can be very precise, what is
the  case  of  denial-of-service  attacks).considered normal is more abstract and
ambiguous. Rather than finding rules that
As an alternative to relying on the host'scharacterize attacks, one attempts to find
CPU to detect intrusions there is growingrules that characterize normal behavior.
interest in utilizing the NIC (networkSince what is considered normal could vary
interface card) as part of this process, too.across different environments, a distinct
The primary role of NICs in computer systemsmodel of normalcy can be learned
is to move data between devices on theindividually. Much of the research in anomaly
network. A natural extension to this roledetection uses the approach of modeling
would be to actually police the packetsnormal behavior from a (presumably)
forwarded in each direction by examiningattack-free training set. Because we cannot
packet headers and simply not forwardingpredict all possible non-hostile behavior,
suspicious  packets.false alarms are inevitable. Researchers
found that when a vulnerable UNIX system
Recently there has been a fair amount ofprogram or server is attacked (for example,
activity in the area of NIC-based computing.using a buffer overflow to open a root
Related to the work on NIC-based intrusionshell), that the program makes sequences of
detection systems is the use of NICs forsystem calls that differ from the sequences
firewall security. The idea is to embedfound  under  normal  operation.
firewall-like security at the NIC level.
Firewall functionality, such as packetCurrent network anomaly detection systems
filtering, packet auditing, and support forsuch as NIDES , ADAM , and SPADE model only
multi-tiered security levels, has beenfeatures of the network and transport layer,
proposed and, actually, commercialized insuch as port numbers, IP addresses, and TCP
3Com's  embedded  firewall.flags. Models built with these features could
detect probes (such as port scans) and some
Rationaledenial of service (DOS) attacks on the TCP/IP
stack, but would not detect attacks of the
The rationale for coupling NIC-basedtype where the exploit code is transmitted to
intrusion detection with conventionala public server in the application payload.
host-based intrusion detection is based onMost current anomaly detectors use a
the  following  points:stationary model, where the probability of an
event depends on its average rate during
· Functions such as signature- andtraining, and does not vary with time. While
anomaly-based packet classification can bemost research in intrusion detection has
performed on the NIC, which has its ownfocused on either signature detection or
processor and memory. This makes it virtuallyanomaly detection, most researchers have
impossible to bypass or to tamper with (asrealized that the two models must work
compared with software-based systems thathand-in-hand  to  be  most  effective.
rely  on  the  host  operating  system).
Results
· If the host is loaded with other
programs running simultaneously (with theThe quantitative improvements that were
intrusion detection software), then anobserved for NIC-based IDS when tested
intrusion detection system that relies onagainst Host-based IDS can be attributed to
host processing may be slowed down, therebythe fact the operating system of the host
adversely affecting the bandwidth availabledoes not have to be interrupted with the
for network transmissions. A NIC-baseddetection process. Thus on heavily loaded
strategy will not be affected by the load onhosts admissible network traffic proceeds at
the  host.a consistent rate provided the computational
and memory resources of the NIC are not
· With centralized intrusion detectionstretched. The benefit of having the NIC do
systems one encounters a problem associatedthe policing is that it can actually prevent
with scalability -- however, this is not thenetwork-based intrusions from wrecking havoc
case with NIC-based intrusion detection.on host systems -- since the intrusive
Each individual NIC can handle the in-boundpacket, if caught, never reaches the host
and out-bound traffic of the particularoperating system. In effect, the NIC acts as
processor/local area network it is connecteda basic shield for the host. If the NIC
with, thus effectively distributing the workcannot catch up with the rate the packets are
load.arriving, it can begin dropping the packets
as this may be indicative of a
· NIC-based strategies provide betterdenial-of-service attack. If the NIC were to
coverage and functional separation sincebecome overwhelmed by a such an attack, the
internal NICs can detect portscans while NICshost would be spared from it. It is
at  the  firewall  can  detect  host-scans.preferable to sacrifice only the NIC to the
attack rather than the entire host machine.
· The NIC-based scheme is flexible,However, from a technology perspective we are
dynamically adaptive, and can work innot far away from 1GHz NIC processors (with
conjunction with existing host-basedappropriately larger memory). With those
intrusion detection systems. The host-basedprojected systems one can anticipate that
intrusion detection system can download newNIC-based intrusion detection will do better
rules/signatures into the NIC on the fly,both from a quantitative standpoint and from
making  the  detection  process  adaptive.a a qualitative standpoint (as less
restrictive and more robust algorithms may be
The  Challengeemployed).
The current disadvantage to NIC-basedFinal  Comments
intrusion detection is that processing
capability on the NIC is much slower and theLast year CyberGuard Corp. announced the
memory sub-system is much smaller whenavailability of the SnapGear PCI635, an
compared with the host. The task ofembedded firewall network card that fits into
implementing algorithms on the NIC presentsstandard peripheral slots in PC desktops and
several new challenges. For example, NICsservers. The card allows deployment of
typically are not capable of performingadvanced network security functions, such as
floating point operations. As a result,virtual private network and firewall and
algorithms implemented for the NIC are forcedintrusion detection, that protect individual
to resort to estimates based on fixed-pointservers and desktops from internal and
operations. There is also a need to limit theexternal threats. The PCI635 can also be
impact on bandwidth and latency for normal,configured to prevent desktop users from
non-intrusive messages. So, the challengetampering with security settings, further
becomes how best to use the NIC's processingreducing the threat of security breaches from
capabilities  for  intrusion  detection.people  on  the  internal  network.
IDS  AlgorithmsBecause this is a NIC-based firewall/VPN/IDS
device that is independent of the host, the
There are two general approaches to thePCI635 makes the desktop system immune to
problem of intrusion detection: signatureWindows vulnerability exploits. This is
detection (also known as misuse detection),important since software-based security
where one looks for patterns that signalsolutions can be rendered useless if the OS
well-known attacks, and anomaly detection,is exploited, compromising the computer and
that looks for deviations from normalpotentially the internal network. The
behavior. Signature detection works reliablyintrusion detection system (IDS) is based on
on known attacks, but has the obviousSnort and increases security by identifying
disadvantage of not being able to detect newknown security attacks.



1 A B C 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 96 97 98 99 100 101 102 103 104 105