牋牋Protect you computer and your data
 

Welcome to our computer security Archive. Have fun browsing!

 

Article #293: Network Security - NIC-Based Intrusion Detection Systems

(Browse for more articles)

 
Overview can only signal that some event is
The goal of an intrusion detection system unusual, but not necessarily hostile,
is to detect inappropriate, incorrect, thus generating false alarms.
and unusual activity on a network or on Signature detection methods are better
the hosts belonging to a local network by understood and widely applied. They are
monitoring network activity. To used in both host based systems, such as
determine if an attack has occurred or if virus detectors, and in network based
one has been attempted typically requires systems such as SNORT and BRO. These
sifting through huge amounts of data systems use a set of rules encoding
(gathered from the network, host or file knowledge gleaned from security experts
system) looking for clues of suspicious to test files or network traffic for
activity. There are two general patterns known to occur in attacks. A
approaches to this problem -- signature limitation of these systems is that as
detection (also known as misuse new vulnerabilities or attacks are
detection), where one looks for patterns discovered, the rule set must be manually
of well-known attacks, and anomaly updated. Another disadvantage is that
detection, that looks for deviations from minor variations in attack methods can
normal behavior. often defeat such systems.
Most work on signature and anomaly Anomaly detection is a harder problem
detection has relied on detecting than signature detection because while
intrusions at the level of the host signatures of attacks can be very
processor. A problem with that approach precise, what is considered normal is
is that even if intrusion activity is more abstract and ambiguous. Rather than
detected, one is often unable to prevent finding rules that characterize attacks,
the attack from disrupting the system and one attempts to find rules that
over utilizing the system CPU (e.g. in characterize normal behavior. Since what
the case of denial-of-service attacks). is considered normal could vary across
As an alternative to relying on the different environments, a distinct model
host's CPU to detect intrusions there is of normalcy can be learned individually.
growing interest in utilizing the NIC Much of the research in anomaly detection
(network interface card) as part of this uses the approach of modeling normal
process, too. The primary role of NICs behavior from a (presumably) attack-free
in computer systems is to move data training set. Because we cannot predict
between devices on the network. A natural all possible non-hostile behavior, false
extension to this role would be to alarms are inevitable. Researchers found
actually police the packets forwarded in that when a vulnerable UNIX system
each direction by examining packet program or server is attacked (for
headers and simply not forwarding example, using a buffer overflow to open
suspicious packets. a root shell), that the program makes
Recently there has been a fair amount of sequences of system calls that differ
activity in the area of NIC-based from the sequences found under normal
computing. Related to the work on operation.
NIC-based intrusion detection systems is Current network anomaly detection systems
the use of NICs for firewall security. such as NIDES , ADAM , and SPADE model
The idea is to embed firewall-like only features of the network and
security at the NIC level. Firewall transport layer, such as port numbers, IP
functionality, such as packet filtering, addresses, and TCP flags. Models built
packet auditing, and support for with these features could detect probes
multi-tiered security levels, has been (such as port scans) and some denial of
proposed and, actually, commercialized in service (DOS) attacks on the TCP/IP
3Com's embedded firewall. stack, but would not detect attacks of
Rationale the type where the exploit code is
The rationale for coupling NIC-based transmitted to a public server in the
intrusion detection with conventional application payload. Most current anomaly
host-based intrusion detection is based detectors use a stationary model, where
on the following points: the probability of an event depends on
路 Functions such as signature- and its average rate during training, and
anomaly-based packet classification can does not vary with time. While most
be performed on the NIC, which has its research in intrusion detection has
own processor and memory. This makes it focused on either signature detection or
virtually impossible to bypass or to anomaly detection, most researchers have
tamper with (as compared with realized that the two models must work
software-based systems that rely on the hand-in-hand to be most effective.
host operating system). Results
路 If the host is loaded with other The quantitative improvements that were
programs running simultaneously (with the observed for NIC-based IDS when tested
intrusion detection software), then an against Host-based IDS can be attributed
intrusion detection system that relies on to the fact the operating system of the
host processing may be slowed down, host does not have to be interrupted with
thereby adversely affecting the bandwidth the detection process. Thus on heavily
available for network transmissions. A loaded hosts admissible network traffic
NIC-based strategy will not be affected proceeds at a consistent rate provided
by the load on the host. the computational and memory resources of
路 With centralized intrusion detection the NIC are not stretched. The benefit
systems one encounters a problem of having the NIC do the policing is that
associated with scalability -- however, it can actually prevent network-based
this is not the case with NIC-based intrusions from wrecking havoc on host
intrusion detection. Each individual NIC systems -- since the intrusive packet, if
can handle the in-bound and out-bound caught, never reaches the host operating
traffic of the particular processor/local system. In effect, the NIC acts as a
area network it is connected with, thus basic shield for the host. If the NIC
effectively distributing the work load. cannot catch up with the rate the packets
路 NIC-based strategies provide better are arriving, it can begin dropping the
coverage and functional separation since packets as this may be indicative of a
internal NICs can detect portscans while denial-of-service attack. If the NIC were
NICs at the firewall can detect to become overwhelmed by a such an
host-scans. attack, the host would be spared from it.
路 The NIC-based scheme is flexible, It is preferable to sacrifice only the
dynamically adaptive, and can work in NIC to the attack rather than the entire
conjunction with existing host-based host machine. However, from a technology
intrusion detection systems. The perspective we are not far away from 1GHz
host-based intrusion detection system can NIC processors (with appropriately larger
download new rules/signatures into the memory). With those projected systems one
NIC on the fly, making the detection can anticipate that NIC-based intrusion
process adaptive. detection will do better both from a
The Challenge quantitative standpoint and from a a
The current disadvantage to NIC-based qualitative standpoint (as less
intrusion detection is that processing restrictive and more robust algorithms
capability on the NIC is much slower and may be employed).
the memory sub-system is much smaller Final Comments
when compared with the host. The task of Last year CyberGuard Corp. announced the
implementing algorithms on the NIC availability of the SnapGear PCI635, an
presents several new challenges. For embedded firewall network card that fits
example, NICs typically are not capable into standard peripheral slots in PC
of performing floating point operations. desktops and servers. The card allows
As a result, algorithms implemented for deployment of advanced network security
the NIC are forced to resort to estimates functions, such as virtual private
based on fixed-point operations. There is network and firewall and intrusion
also a need to limit the impact on detection, that protect individual
bandwidth and latency for normal, servers and desktops from internal and
non-intrusive messages. So, the external threats. The PCI635 can also be
challenge becomes how best to use the configured to prevent desktop users from
NIC's processing capabilities for tampering with security settings, further
intrusion detection. reducing the threat of security breaches
IDS Algorithms from people on the internal network.
There are two general approaches to the Because this is a NIC-based firewall/VPN
problem of intrusion detection: signature IDS device that is independent of the
detection (also known as misuse host, the PCI635 makes the desktop system
detection), where one looks for patterns immune to Windows vulnerability exploits.
that signal well-known attacks, and This is important since software-based
anomaly detection, that looks for security solutions can be rendered
deviations from normal behavior. useless if the OS is exploited,
Signature detection works reliably on compromising the computer and potentially
known attacks, but has the obvious the internal network. The intrusion
disadvantage of not being able to detect detection system (IDS) is based on Snort
new attacks. Though anomaly detection can and increases security by identifying
detect novel attacks, it has the drawback known security attacks.
of not being able to discern intent. It






1- A- B- C- 2- 3- 4- 5- 6- 7- 8- 9- 10- 11- 12- 13- 14- 15- 16- 17- 18- 19- 20- 21- 22- 23- 24- 25- 26- 27- 28- 29- 30- 31- 32- 33- 34- 35- 36- 37- 38- 39- 40- 41- 42- 43- 44- 45-