| Overview
| |
| | can only signal that some event is
|
| The goal of an intrusion detection system
| |
| | unusual, but not necessarily hostile,
|
| is to detect inappropriate, incorrect,
| |
| | thus generating false alarms.
|
| and unusual activity on a network or on
| |
| | Signature detection methods are better
|
| the hosts belonging to a local network by
| |
| | understood and widely applied. They are
|
| monitoring network activity. To
| |
| | used in both host based systems, such as
|
| determine if an attack has occurred or if
| |
| | virus detectors, and in network based
|
| one has been attempted typically requires
| |
| | systems such as SNORT and BRO. These
|
| sifting through huge amounts of data
| |
| | systems use a set of rules encoding
|
| (gathered from the network, host or file
| |
| | knowledge gleaned from security experts
|
| system) looking for clues of suspicious
| |
| | to test files or network traffic for
|
| activity. There are two general
| |
| | patterns known to occur in attacks. A
|
| approaches to this problem -- signature
| |
| | limitation of these systems is that as
|
| detection (also known as misuse
| |
| | new vulnerabilities or attacks are
|
| detection), where one looks for patterns
| |
| | discovered, the rule set must be manually
|
| of well-known attacks, and anomaly
| |
| | updated. Another disadvantage is that
|
| detection, that looks for deviations from
| |
| | minor variations in attack methods can
|
| normal behavior.
| |
| | often defeat such systems.
|
| Most work on signature and anomaly
| |
| | Anomaly detection is a harder problem
|
| detection has relied on detecting
| |
| | than signature detection because while
|
| intrusions at the level of the host
| |
| | signatures of attacks can be very
|
| processor. A problem with that approach
| |
| | precise, what is considered normal is
|
| is that even if intrusion activity is
| |
| | more abstract and ambiguous. Rather than
|
| detected, one is often unable to prevent
| |
| | finding rules that characterize attacks,
|
| the attack from disrupting the system and
| |
| | one attempts to find rules that
|
| over utilizing the system CPU (e.g. in
| |
| | characterize normal behavior. Since what
|
| the case of denial-of-service attacks).
| |
| | is considered normal could vary across
|
| As an alternative to relying on the
| |
| | different environments, a distinct model
|
| host's CPU to detect intrusions there is
| |
| | of normalcy can be learned individually.
|
| growing interest in utilizing the NIC
| |
| | Much of the research in anomaly detection
|
| (network interface card) as part of this
| |
| | uses the approach of modeling normal
|
| process, too. The primary role of NICs
| |
| | behavior from a (presumably) attack-free
|
| in computer systems is to move data
| |
| | training set. Because we cannot predict
|
| between devices on the network. A natural
| |
| | all possible non-hostile behavior, false
|
| extension to this role would be to
| |
| | alarms are inevitable. Researchers found
|
| actually police the packets forwarded in
| |
| | that when a vulnerable UNIX system
|
| each direction by examining packet
| |
| | program or server is attacked (for
|
| headers and simply not forwarding
| |
| | example, using a buffer overflow to open
|
| suspicious packets.
| |
| | a root shell), that the program makes
|
| Recently there has been a fair amount of
| |
| | sequences of system calls that differ
|
| activity in the area of NIC-based
| |
| | from the sequences found under normal
|
| computing. Related to the work on
| |
| | operation.
|
| NIC-based intrusion detection systems is
| |
| | Current network anomaly detection systems
|
| the use of NICs for firewall security.
| |
| | such as NIDES , ADAM , and SPADE model
|
| The idea is to embed firewall-like
| |
| | only features of the network and
|
| security at the NIC level. Firewall
| |
| | transport layer, such as port numbers, IP
|
| functionality, such as packet filtering,
| |
| | addresses, and TCP flags. Models built
|
| packet auditing, and support for
| |
| | with these features could detect probes
|
| multi-tiered security levels, has been
| |
| | (such as port scans) and some denial of
|
| proposed and, actually, commercialized in
| |
| | service (DOS) attacks on the TCP/IP
|
| 3Com's embedded firewall.
| |
| | stack, but would not detect attacks of
|
| Rationale
| |
| | the type where the exploit code is
|
| The rationale for coupling NIC-based
| |
| | transmitted to a public server in the
|
| intrusion detection with conventional
| |
| | application payload. Most current anomaly
|
| host-based intrusion detection is based
| |
| | detectors use a stationary model, where
|
| on the following points:
| |
| | the probability of an event depends on
|
| 路 Functions such as signature- and
| |
| | its average rate during training, and
|
| anomaly-based packet classification can
| |
| | does not vary with time. While most
|
| be performed on the NIC, which has its
| |
| | research in intrusion detection has
|
| own processor and memory. This makes it
| |
| | focused on either signature detection or
|
| virtually impossible to bypass or to
| |
| | anomaly detection, most researchers have
|
| tamper with (as compared with
| |
| | realized that the two models must work
|
| software-based systems that rely on the
| |
| | hand-in-hand to be most effective.
|
| host operating system).
| |
| | Results
|
| 路 If the host is loaded with other
| |
| | The quantitative improvements that were
|
| programs running simultaneously (with the
| |
| | observed for NIC-based IDS when tested
|
| intrusion detection software), then an
| |
| | against Host-based IDS can be attributed
|
| intrusion detection system that relies on
| |
| | to the fact the operating system of the
|
| host processing may be slowed down,
| |
| | host does not have to be interrupted with
|
| thereby adversely affecting the bandwidth
| |
| | the detection process. Thus on heavily
|
| available for network transmissions. A
| |
| | loaded hosts admissible network traffic
|
| NIC-based strategy will not be affected
| |
| | proceeds at a consistent rate provided
|
| by the load on the host.
| |
| | the computational and memory resources of
|
| 路 With centralized intrusion detection
| |
| | the NIC are not stretched. The benefit
|
| systems one encounters a problem
| |
| | of having the NIC do the policing is that
|
| associated with scalability -- however,
| |
| | it can actually prevent network-based
|
| this is not the case with NIC-based
| |
| | intrusions from wrecking havoc on host
|
| intrusion detection. Each individual NIC
| |
| | systems -- since the intrusive packet, if
|
| can handle the in-bound and out-bound
| |
| | caught, never reaches the host operating
|
| traffic of the particular processor/local
| |
| | system. In effect, the NIC acts as a
|
| area network it is connected with, thus
| |
| | basic shield for the host. If the NIC
|
| effectively distributing the work load.
| |
| | cannot catch up with the rate the packets
|
| 路 NIC-based strategies provide better
| |
| | are arriving, it can begin dropping the
|
| coverage and functional separation since
| |
| | packets as this may be indicative of a
|
| internal NICs can detect portscans while
| |
| | denial-of-service attack. If the NIC were
|
| NICs at the firewall can detect
| |
| | to become overwhelmed by a such an
|
| host-scans.
| |
| | attack, the host would be spared from it.
|
| 路 The NIC-based scheme is flexible,
| |
| | It is preferable to sacrifice only the
|
| dynamically adaptive, and can work in
| |
| | NIC to the attack rather than the entire
|
| conjunction with existing host-based
| |
| | host machine. However, from a technology
|
| intrusion detection systems. The
| |
| | perspective we are not far away from 1GHz
|
| host-based intrusion detection system can
| |
| | NIC processors (with appropriately larger
|
| download new rules/signatures into the
| |
| | memory). With those projected systems one
|
| NIC on the fly, making the detection
| |
| | can anticipate that NIC-based intrusion
|
| process adaptive.
| |
| | detection will do better both from a
|
| The Challenge
| |
| | quantitative standpoint and from a a
|
| The current disadvantage to NIC-based
| |
| | qualitative standpoint (as less
|
| intrusion detection is that processing
| |
| | restrictive and more robust algorithms
|
| capability on the NIC is much slower and
| |
| | may be employed).
|
| the memory sub-system is much smaller
| |
| | Final Comments
|
| when compared with the host. The task of
| |
| | Last year CyberGuard Corp. announced the
|
| implementing algorithms on the NIC
| |
| | availability of the SnapGear PCI635, an
|
| presents several new challenges. For
| |
| | embedded firewall network card that fits
|
| example, NICs typically are not capable
| |
| | into standard peripheral slots in PC
|
| of performing floating point operations.
| |
| | desktops and servers. The card allows
|
| As a result, algorithms implemented for
| |
| | deployment of advanced network security
|
| the NIC are forced to resort to estimates
| |
| | functions, such as virtual private
|
| based on fixed-point operations. There is
| |
| | network and firewall and intrusion
|
| also a need to limit the impact on
| |
| | detection, that protect individual
|
| bandwidth and latency for normal,
| |
| | servers and desktops from internal and
|
| non-intrusive messages. So, the
| |
| | external threats. The PCI635 can also be
|
| challenge becomes how best to use the
| |
| | configured to prevent desktop users from
|
| NIC's processing capabilities for
| |
| | tampering with security settings, further
|
| intrusion detection.
| |
| | reducing the threat of security breaches
|
| IDS Algorithms
| |
| | from people on the internal network.
|
| There are two general approaches to the
| |
| | Because this is a NIC-based firewall/VPN
|
| problem of intrusion detection: signature
| |
| | IDS device that is independent of the
|
| detection (also known as misuse
| |
| | host, the PCI635 makes the desktop system
|
| detection), where one looks for patterns
| |
| | immune to Windows vulnerability exploits.
|
| that signal well-known attacks, and
| |
| | This is important since software-based
|
| anomaly detection, that looks for
| |
| | security solutions can be rendered
|
| deviations from normal behavior.
| |
| | useless if the OS is exploited,
|
| Signature detection works reliably on
| |
| | compromising the computer and potentially
|
| known attacks, but has the obvious
| |
| | the internal network. The intrusion
|
| disadvantage of not being able to detect
| |
| | detection system (IDS) is based on Snort
|
| new attacks. Though anomaly detection can
| |
| | and increases security by identifying
|
| detect novel attacks, it has the drawback
| |
| | known security attacks.
|
| of not being able to discern intent. It
| |
| |
|
