Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005...
-
Upload
colin-maxwell -
Category
Documents
-
view
216 -
download
1
description
Transcript of Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005...
1CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes)
Hao CheDepartment of Computer Science and Engineering
University of Texas at Arlington
2CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Outline • MotivationsMotivations• Proposed SolutionProposed Solution• Thoughts on attack identificationThoughts on attack identification• Research goalResearch goal
3CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Motivations
• Intrusion detection systems (IDSes) must be Intrusion detection systems (IDSes) must be distributed in dealing with distributed attacksdistributed in dealing with distributed attacks
• There are various types of DIDSes being built There are various types of DIDSes being built including:including: • Host-based versus network-basedHost-based versus network-based
• Host-based DIDS Host-based DIDS • Network-based DIDSNetwork-based DIDS• Hybrid DIDSHybrid DIDS
• Centralized versus distributedCentralized versus distributed• DIDS with centralized control DIDS with centralized control • DIDS with distributed control DIDS with distributed control • Both may be hierarchical or flatBoth may be hierarchical or flat
4CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Motivations• A DIDS should be A DIDS should be
• RobustRobust: able to cope with partial failures of the DIDS : able to cope with partial failures of the DIDS through, e.g., dynamic resource sharing and dynamic load through, e.g., dynamic resource sharing and dynamic load balancingbalancing
• FlexibleFlexible: able to allow, e.g., fast run-time software upgrade : able to allow, e.g., fast run-time software upgrade and rule table update, and flow tracking at various and rule table update, and flow tracking at various granularitiesgranularities
• ScalableScalable: able to keep up with multigigabit line rates and : able to keep up with multigigabit line rates and scale to large sized network scale to large sized network
• In general, the existing DIDSes cannot meet all the In general, the existing DIDSes cannot meet all the above requirements simultaneously:above requirements simultaneously:• Most DIDSes do not address robustness issueMost DIDSes do not address robustness issue• Software based IDSes cannot keep up with gigabit line ratesSoftware based IDSes cannot keep up with gigabit line rates • Hardware based solutions are lack of flexibilityHardware based solutions are lack of flexibility
5CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed Solution• Network level: building a Secured DIDS Overlay using multipath for:
• both link and node resource optimization• fast failure recovery
Network-based IDS
Point-to-point multipath
Host-based IDS
Point-to-multipoint (multipoint-point) multipath
6CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed Solution
• Node level: a hybrid solution for network-based IDS Node level: a hybrid solution for network-based IDS design:design: • Separation of string matching into header matching and Separation of string matching into header matching and
payload string matchingpayload string matching• Stateful and stateless header matching and load Stateful and stateless header matching and load
balancing are handled by a fully run-time programmable balancing are handled by a fully run-time programmable network processor at multigigabit ratenetwork processor at multigigabit rate
• Payload string matching is performed by a set of Payload string matching is performed by a set of traditional sensors at lower rates traditional sensors at lower rates
• A network-based IDS may operate in one of the two A network-based IDS may operate in one of the two modes: stealthy mode or inline modemodes: stealthy mode or inline mode
7CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed Solution• Stealthy Mode: for intrusion detection onlyStealthy Mode: for intrusion detection only
tap
To Remote Sensors
Local Sensors
Traffic Manager Framer SerDes
TCAM Coprocessor
CPU
MEM
Line Card
• Inline Mode: for both intrusion detection and prevention Inline Mode: for both intrusion detection and prevention
To Remote Sensors
Local Sensors
Traffic Manager Framer SerDes
TCAM Coprocessor
CPU
MEM
Line Card
Network Monitored
Network Monitored
Network Processor
Network Processor
IDS Console
IDS Console
8CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed SolutionIntel IXP 2800 Multigigabit Network Processor:Intel IXP 2800 Multigigabit Network Processor:• Micro-engines (MEs) can be configured to work in pipeline and/or parallelMicro-engines (MEs) can be configured to work in pipeline and/or parallel• Each ME runs its own micro-code and the micro-code can be swapped at run-time Each ME runs its own micro-code and the micro-code can be swapped at run-time • XScale Core maintains flow state and any other control plane functionsXScale Core maintains flow state and any other control plane functions
9CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed SolutionA Four-Stage Configuration: A Four-Stage Configuration: • 11stst stage: one ME distributes packets evenly to the MEs in the 2 stage: one ME distributes packets evenly to the MEs in the 2ndnd stage stage• 22ndnd stage: a set of MEs performs stateful flow classification and load balancing stage: a set of MEs performs stateful flow classification and load balancing• 33rdrd stage: a set of MEs reorder the out-of-order packets received from the 2 stage: a set of MEs reorder the out-of-order packets received from the 2ndnd stage stage • 44thth stage: outgoing packets are scheduled based on their QoS requirements stage: outgoing packets are scheduled based on their QoS requirements
dispatcher
load balancersequencer scheduler
10CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
A Proposed Solution
Summary of the proposed solution: Summary of the proposed solution:
• It enhances the robustness, flexibility, and scalability of the It enhances the robustness, flexibility, and scalability of the existing DIDSesexisting DIDSes
• In the inline mode, the proposed IDS can also serve as a In the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion preventiondynamic firewall for intrusion prevention
• The run-time programmability of the proposed IDS is an The run-time programmability of the proposed IDS is an important capability which can be further exploited to build important capability which can be further exploited to build intelligent DIDS intelligent DIDS
11CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Thoughts on Attack Identification
Two candidate techniques: Two candidate techniques: • Robust identificationRobust identification• Frequency domain analysisFrequency domain analysis
Two key components in a DIDS: Two key components in a DIDS: • Attack identificationAttack identification• Alert correlationAlert correlation
12CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Thoughts on Attack Identification
• A state-of-the-art robust identification technique A state-of-the-art robust identification technique developed by experts in Control Areadeveloped by experts in Control Area
• Problem Statement:Problem Statement:• Given:Given:
• a model of the plant under normal conditions Ga model of the plant under normal conditions Goo((λλ, , ∆∆oo) ) • failure dynamics failure dynamics GGii((λλ, ∆, ∆ii))• a bound a bound δδ on the measurement noise on the measurement noise• Uncertainty sets Uncertainty sets ∆∆ii
• N input/output experiment measurementsN input/output experiment measurements
• Determine: Determine: 1.1. Whether a fault has occurred Whether a fault has occurred 2.2. In that case, isolate it and determine its strengthIn that case, isolate it and determine its strength
• Can be used for both anomaly and misuse detections Can be used for both anomaly and misuse detections
13CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Thoughts on Attack Identification
• An immature thought on alert correlationAn immature thought on alert correlation• Frequency domain analysis may play an important Frequency domain analysis may play an important
role because: role because: • Power spectrum captures the relative strength of the Power spectrum captures the relative strength of the
correlated signals at different frequencies or timescalescorrelated signals at different frequencies or timescales• It is a mature research field and various tools are ready It is a mature research field and various tools are ready
availableavailable
14CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.
Hao Che/University of Texas at Arlington
Research Goal
• Research goal by the end of this summer: a detailed Research goal by the end of this summer: a detailed architecture of the proposed research with one of architecture of the proposed research with one of two possible outcomes: two possible outcomes: 1.1. A DIDS architecture with the proposed solution A DIDS architecture with the proposed solution
integrated with a new anomaly and misuse detection integrated with a new anomaly and misuse detection mechanismmechanism
2.2. A DIDS architecture that integrates the proposed A DIDS architecture that integrates the proposed solution with an existing DIDSsolution with an existing DIDS
• The outcome will serve two purposes: The outcome will serve two purposes: 1.1. A proposal for funding opportunitiesA proposal for funding opportunities2.2. The basis for the development of such a DIDSThe basis for the development of such a DIDS