| Overview | | | | attacks. Though anomaly detection can detect |
| | | | novel attacks, it has the drawback of not |
| The goal of an intrusion detection system is | | | | being able to discern intent. It can only |
| to detect inappropriate, incorrect, and | | | | signal that some event is unusual, but not |
| unusual activity on a network or on the hosts | | | | necessarily hostile, thus generating false |
| belonging to a local network by monitoring | | | | alarms. |
| network activity. To determine if an attack | | | | |
| has occurred or if one has been attempted | | | | Signature detection methods are better |
| typically requires sifting through huge | | | | understood and widely applied. They are used |
| amounts of data (gathered from the network, | | | | in both host based systems, such as virus |
| host or file system) looking for clues of | | | | detectors, and in network based systems such |
| suspicious activity. There are two general | | | | as SNORT and BRO. These systems use a set of |
| approaches to this problem -- signature | | | | rules encoding knowledge gleaned from |
| detection (also known as misuse detection), | | | | security experts to test files or network |
| where one looks for patterns of well-known | | | | traffic for patterns known to occur in |
| attacks, and anomaly detection, that looks | | | | attacks. A limitation of these systems is |
| for deviations from normal behavior. | | | | that as new vulnerabilities or attacks are |
| | | | discovered, the rule set must be manually |
| Most work on signature and anomaly detection | | | | updated. Another disadvantage is that minor |
| has relied on detecting intrusions at the | | | | variations in attack methods can often defeat |
| level of the host processor. A problem with | | | | such systems. |
| that approach is that even if intrusion | | | | |
| activity is detected, one is often unable to | | | | Anomaly detection is a harder problem than |
| prevent the attack from disrupting the system | | | | signature detection because while signatures |
| and over utilizing the system CPU (e.g. in | | | | of attacks can be very precise, what is |
| the case of denial-of-service attacks). | | | | considered normal is more abstract and |
| | | | ambiguous. Rather than finding rules that |
| As an alternative to relying on the host's | | | | characterize attacks, one attempts to find |
| CPU to detect intrusions there is growing | | | | rules that characterize normal behavior. |
| interest in utilizing the NIC (network | | | | Since what is considered normal could vary |
| interface card) as part of this process, too. | | | | across different environments, a distinct |
| The primary role of NICs in computer systems | | | | model of normalcy can be learned |
| is to move data between devices on the | | | | individually. Much of the research in anomaly |
| network. A natural extension to this role | | | | detection uses the approach of modeling |
| would be to actually police the packets | | | | normal behavior from a (presumably) |
| forwarded in each direction by examining | | | | attack-free training set. Because we cannot |
| packet headers and simply not forwarding | | | | predict all possible non-hostile behavior, |
| suspicious packets. | | | | false alarms are inevitable. Researchers |
| | | | found that when a vulnerable UNIX system |
| Recently there has been a fair amount of | | | | program or server is attacked (for example, |
| activity in the area of NIC-based computing. | | | | using a buffer overflow to open a root |
| Related to the work on NIC-based intrusion | | | | shell), that the program makes sequences of |
| detection systems is the use of NICs for | | | | system calls that differ from the sequences |
| firewall security. The idea is to embed | | | | found under normal operation. |
| firewall-like security at the NIC level. | | | | |
| Firewall functionality, such as packet | | | | Current network anomaly detection systems |
| filtering, packet auditing, and support for | | | | such as NIDES , ADAM , and SPADE model only |
| multi-tiered security levels, has been | | | | features of the network and transport layer, |
| proposed and, actually, commercialized in | | | | such as port numbers, IP addresses, and TCP |
| 3Com's embedded firewall. | | | | flags. Models built with these features could |
| | | | detect probes (such as port scans) and some |
| Rationale | | | | denial of service (DOS) attacks on the TCP/IP |
| | | | stack, but would not detect attacks of the |
| The rationale for coupling NIC-based | | | | type where the exploit code is transmitted to |
| intrusion detection with conventional | | | | a public server in the application payload. |
| host-based intrusion detection is based on | | | | Most current anomaly detectors use a |
| the following points: | | | | stationary model, where the probability of an |
| | | | event depends on its average rate during |
| · Functions such as signature- and | | | | training, and does not vary with time. While |
| anomaly-based packet classification can be | | | | most research in intrusion detection has |
| performed on the NIC, which has its own | | | | focused on either signature detection or |
| processor and memory. This makes it virtually | | | | anomaly detection, most researchers have |
| impossible to bypass or to tamper with (as | | | | realized that the two models must work |
| compared with software-based systems that | | | | hand-in-hand to be most effective. |
| rely on the host operating system). | | | | |
| | | | Results |
| · If the host is loaded with other | | | | |
| programs running simultaneously (with the | | | | The quantitative improvements that were |
| intrusion detection software), then an | | | | observed for NIC-based IDS when tested |
| intrusion detection system that relies on | | | | against Host-based IDS can be attributed to |
| host processing may be slowed down, thereby | | | | the fact the operating system of the host |
| adversely affecting the bandwidth available | | | | does not have to be interrupted with the |
| for network transmissions. A NIC-based | | | | detection process. Thus on heavily loaded |
| strategy will not be affected by the load on | | | | hosts admissible network traffic proceeds at |
| the host. | | | | a consistent rate provided the computational |
| | | | and memory resources of the NIC are not |
| · With centralized intrusion detection | | | | stretched. The benefit of having the NIC do |
| systems one encounters a problem associated | | | | the policing is that it can actually prevent |
| with scalability -- however, this is not the | | | | network-based intrusions from wrecking havoc |
| case with NIC-based intrusion detection. | | | | on host systems -- since the intrusive |
| Each individual NIC can handle the in-bound | | | | packet, if caught, never reaches the host |
| and out-bound traffic of the particular | | | | operating system. In effect, the NIC acts as |
| processor/local area network it is connected | | | | a basic shield for the host. If the NIC |
| with, thus effectively distributing the work | | | | cannot catch up with the rate the packets are |
| load. | | | | arriving, it can begin dropping the packets |
| | | | as this may be indicative of a |
| · NIC-based strategies provide better | | | | denial-of-service attack. If the NIC were to |
| coverage and functional separation since | | | | become overwhelmed by a such an attack, the |
| internal NICs can detect portscans while NICs | | | | host would be spared from it. It is |
| at the firewall can detect host-scans. | | | | preferable to sacrifice only the NIC to the |
| | | | attack rather than the entire host machine. |
| · The NIC-based scheme is flexible, | | | | However, from a technology perspective we are |
| dynamically adaptive, and can work in | | | | not far away from 1GHz NIC processors (with |
| conjunction with existing host-based | | | | appropriately larger memory). With those |
| intrusion detection systems. The host-based | | | | projected systems one can anticipate that |
| intrusion detection system can download new | | | | NIC-based intrusion detection will do better |
| rules/signatures into the NIC on the fly, | | | | both from a quantitative standpoint and from |
| making the detection process adaptive. | | | | a a qualitative standpoint (as less |
| | | | restrictive and more robust algorithms may be |
| The Challenge | | | | employed). |
| | | | |
| The current disadvantage to NIC-based | | | | Final Comments |
| intrusion detection is that processing | | | | |
| capability on the NIC is much slower and the | | | | Last year CyberGuard Corp. announced the |
| memory sub-system is much smaller when | | | | availability of the SnapGear PCI635, an |
| compared with the host. The task of | | | | embedded firewall network card that fits into |
| implementing algorithms on the NIC presents | | | | standard peripheral slots in PC desktops and |
| several new challenges. For example, NICs | | | | servers. The card allows deployment of |
| typically are not capable of performing | | | | advanced network security functions, such as |
| floating point operations. As a result, | | | | virtual private network and firewall and |
| algorithms implemented for the NIC are forced | | | | intrusion detection, that protect individual |
| to resort to estimates based on fixed-point | | | | servers and desktops from internal and |
| operations. There is also a need to limit the | | | | external threats. The PCI635 can also be |
| impact on bandwidth and latency for normal, | | | | configured to prevent desktop users from |
| non-intrusive messages. So, the challenge | | | | tampering with security settings, further |
| becomes how best to use the NIC's processing | | | | reducing the threat of security breaches from |
| capabilities for intrusion detection. | | | | people on the internal network. |
| | | | |
| IDS Algorithms | | | | Because this is a NIC-based firewall/VPN/IDS |
| | | | device that is independent of the host, the |
| There are two general approaches to the | | | | PCI635 makes the desktop system immune to |
| problem of intrusion detection: signature | | | | Windows vulnerability exploits. This is |
| detection (also known as misuse detection), | | | | important since software-based security |
| where one looks for patterns that signal | | | | solutions can be rendered useless if the OS |
| well-known attacks, and anomaly detection, | | | | is exploited, compromising the computer and |
| that looks for deviations from normal | | | | potentially the internal network. The |
| behavior. Signature detection works reliably | | | | intrusion detection system (IDS) is based on |
| on known attacks, but has the obvious | | | | Snort and increases security by identifying |
| disadvantage of not being able to detect new | | | | known security attacks. |