際際滷

際際滷Share a Scribd company logo

Network Intrusion Detection Systems #2

Download as PPTX, PDF
Peter Dulaka
Peter Dulaka

際際滷s from the overview presentation about advanced methods and risks in intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.

1 of 30
Downloaded 58 times
Network intrusion detection/prevention systems #2
As seen in previous presentation
Signature-based analysis pattern matching patterns of malicious traffic very elementary (basically grepping) + huge community for rule generation + great for low level analysis (rules are very specific) + not taking too much resources - lower performance with big ruleset - slight attack variation can beat the rule
Protocol-based analysis reviewing network data strictly based on layer headers knowledge of expected values + better possibility for scalability + generic, able to catch zero-day exploits - protocol headers preprocessor need resources - rules can get extremely difficult to write/understand - provide low information, admin has to investigate
TOC Shunting Risks of live data analysis Fast string-matching algorithm for NIDS
Shunting
Traffic analysis problems and solutions higher data rates every day (everything needs to be analyzed) custom IDS hardware is put in place (high cost, network structure change)
Whats shunting? combination of HW and SW IPS running on simple commodity PC hardware HW element: several large state tables indexed by packet header fields (TCP/IP flags, connection tuples, IP addresses)
Packet work Every packet is being fast-checked by HW element; it can be forwarded to the destination dropped completely shunted through IPS Table entries in HW element can be configured to specify traffic to examine block malicious traffic cut through portions of traffic streams
Shunting Example IPS monitoring SSH traffic New connection is opened Shunt fails to find entry in per-address (standard connections) or per-connection (encrypted connections) tables Traffic is diverted to IPS and analyzed Packets are dropped or injected back to network
Shunting architecture Shunts tables work like a cache and by default, theyre read- only (table doesnt update itself) Analysis engine (IPS) has to maintain connection states and also update Shunt tables
Breakdown of the Traffic
Shunt advantages Separation of policy and mechanism Keeping things simple (memory access limits per packet) Minimal need for buffering When set up properly, IDS can offload 55%- 90% of all traffic
Network Intrusion Detection Systems #2
Analysis Live analysis using software present during investigated timeframe system is kept running admins are reviewing apps and logs relies on application that could have been modified to produce false data Dead analysis system is shut down image of HDD is made and analyzed in lab
Murder in the Hotel Room
False Data - Rootkits inserts a filter in the data flow application level, user-mode level (needs to replace ls, find, du) system libraries level kernel level system call level (via wrappers)
Network Intrusion Detection Systems #2
Rootkit Countermeasures Application level: trusted tools Library level: statically compiled trusted tools (some systems require dynamic libraries) Kernel rootkits: basic read calls instead of system calls
Network Intrusion Detection Systems #2
Live analysis future Use of specialized hardware for HDD images (so the dead analysis can be performed) Change of system design, isolation of software components Digital data precedence is to use dead analysis over live; If many computers are involved, live analysis can save time.
Network Intrusion Detection Systems #2
Introduction Based on SNORT ruleset Need for efficient algorithms complexity increases with number of patterns of various sizes in every ruleset case sensitivity might be involved rule patterns are ASCII chars (not fairly distributed), network traffic is binary data prioritization among signatures might be involved
Overview Based on prefix sliding window (PSW) skip distance table (STD) rule hashing table (RHT) Compile time and runtime preprocessing
Skip Distance Table abc string matching (0x61,0x62,0x63) range 0x000061-0xFFFF61 matched, shift 2, so 0x61???? can be evaluated range 0x006162-0xFF6162 matched, shift 1, so 0x6162?? can be evaluated etc
Network Intrusion Detection Systems #2
Rule Hashing Table Designed for storing collision entries under one key Collisions are stored with prioritized linked list in Rule Status Table (RST)
Network Intrusion Detection Systems #2
Q&A
Sources Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, and Chia-Nan Kao. 2004. A fast string-matching algorithm for network processor-based intrusion detection system. ACM Trans. Embed. Comput. Syst. 3, 3 (August 2004), 614-633. Brian D. Carrier. 2006. Risks of live digital forensic analysis. Commun. ACM 49, 2 (February 2006), 56-61. Jose M. Gonzalez, Vern Paxson, and Nicholas Weaver. 2007. Shunting: a hardware/software architecture for flexible, high- performance network intrusion prevention. In Proceedings of the 14th ACM conference on Computer and communications security (CCS '07). ACM, New York, NY, USA, 139-149.

More Related Content

Network Intrusion Detection Systems #2

  • 2. As seen in previous presentation
  • 3. Signature-based analysis pattern matching patterns of malicious traffic very elementary (basically grepping) + huge community for rule generation + great for low level analysis (rules are very specific) + not taking too much resources - lower performance with big ruleset - slight attack variation can beat the rule
  • 4. Protocol-based analysis reviewing network data strictly based on layer headers knowledge of expected values + better possibility for scalability + generic, able to catch zero-day exploits - protocol headers preprocessor need resources - rules can get extremely difficult to write/understand - provide low information, admin has to investigate
  • 5. TOC Shunting Risks of live data analysis Fast string-matching algorithm for NIDS
  • 7. Traffic analysis problems and solutions higher data rates every day (everything needs to be analyzed) custom IDS hardware is put in place (high cost, network structure change)
  • 8. Whats shunting? combination of HW and SW IPS running on simple commodity PC hardware HW element: several large state tables indexed by packet header fields (TCP/IP flags, connection tuples, IP addresses)
  • 9. Packet work Every packet is being fast-checked by HW element; it can be forwarded to the destination dropped completely shunted through IPS Table entries in HW element can be configured to specify traffic to examine block malicious traffic cut through portions of traffic streams
  • 10. Shunting Example IPS monitoring SSH traffic New connection is opened Shunt fails to find entry in per-address (standard connections) or per-connection (encrypted connections) tables Traffic is diverted to IPS and analyzed Packets are dropped or injected back to network
  • 11. Shunting architecture Shunts tables work like a cache and by default, theyre read- only (table doesnt update itself) Analysis engine (IPS) has to maintain connection states and also update Shunt tables
  • 12. Breakdown of the Traffic
  • 13. Shunt advantages Separation of policy and mechanism Keeping things simple (memory access limits per packet) Minimal need for buffering When set up properly, IDS can offload 55%- 90% of all traffic
  • 15. Analysis Live analysis using software present during investigated timeframe system is kept running admins are reviewing apps and logs relies on application that could have been modified to produce false data Dead analysis system is shut down image of HDD is made and analyzed in lab
  • 16. Murder in the Hotel Room
  • 17. False Data - Rootkits inserts a filter in the data flow application level, user-mode level (needs to replace ls, find, du) system libraries level kernel level system call level (via wrappers)
  • 19. Rootkit Countermeasures Application level: trusted tools Library level: statically compiled trusted tools (some systems require dynamic libraries) Kernel rootkits: basic read calls instead of system calls
  • 21. Live analysis future Use of specialized hardware for HDD images (so the dead analysis can be performed) Change of system design, isolation of software components Digital data precedence is to use dead analysis over live; If many computers are involved, live analysis can save time.
  • 23. Introduction Based on SNORT ruleset Need for efficient algorithms complexity increases with number of patterns of various sizes in every ruleset case sensitivity might be involved rule patterns are ASCII chars (not fairly distributed), network traffic is binary data prioritization among signatures might be involved
  • 24. Overview Based on prefix sliding window (PSW) skip distance table (STD) rule hashing table (RHT) Compile time and runtime preprocessing
  • 25. Skip Distance Table abc string matching (0x61,0x62,0x63) range 0x000061-0xFFFF61 matched, shift 2, so 0x61???? can be evaluated range 0x006162-0xFF6162 matched, shift 1, so 0x6162?? can be evaluated etc
  • 27. Rule Hashing Table Designed for storing collision entries under one key Collisions are stored with prioritized linked list in Rule Status Table (RST)
  • 29. Q&A
  • 30. Sources Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, and Chia-Nan Kao. 2004. A fast string-matching algorithm for network processor-based intrusion detection system. ACM Trans. Embed. Comput. Syst. 3, 3 (August 2004), 614-633. Brian D. Carrier. 2006. Risks of live digital forensic analysis. Commun. ACM 49, 2 (February 2006), 56-61. Jose M. Gonzalez, Vern Paxson, and Nicholas Weaver. 2007. Shunting: a hardware/software architecture for flexible, high- performance network intrusion prevention. In Proceedings of the 14th ACM conference on Computer and communications security (CCS '07). ACM, New York, NY, USA, 139-149.