Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005...

1CSIIR and IOC 1st Annual Workshop – March 14-15, 2005Oak Ridge National Lab.

Hao Che/University of Texas at Arlington

Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes)

Hao CheDepartment of Computer Science and Engineering

University of Texas at Arlington



Outline • MotivationsMotivations• Proposed SolutionProposed Solution• Thoughts on attack identificationThoughts on attack identification• Research goalResearch goal



Motivations

• Intrusion detection systems (IDSes) must be Intrusion detection systems (IDSes) must be distributed in dealing with distributed attacksdistributed in dealing with distributed attacks

• There are various types of DIDSes being built There are various types of DIDSes being built including:including: • Host-based versus network-basedHost-based versus network-based

• Host-based DIDS Host-based DIDS • Network-based DIDSNetwork-based DIDS• Hybrid DIDSHybrid DIDS

• Centralized versus distributedCentralized versus distributed• DIDS with centralized control DIDS with centralized control • DIDS with distributed control DIDS with distributed control • Both may be hierarchical or flatBoth may be hierarchical or flat



Motivations• A DIDS should be A DIDS should be

• RobustRobust: able to cope with partial failures of the DIDS : able to cope with partial failures of the DIDS through, e.g., dynamic resource sharing and dynamic load through, e.g., dynamic resource sharing and dynamic load balancingbalancing

• FlexibleFlexible: able to allow, e.g., fast run-time software upgrade : able to allow, e.g., fast run-time software upgrade and rule table update, and flow tracking at various and rule table update, and flow tracking at various granularitiesgranularities

• ScalableScalable: able to keep up with multigigabit line rates and : able to keep up with multigigabit line rates and scale to large sized network scale to large sized network

• In general, the existing DIDSes cannot meet all the In general, the existing DIDSes cannot meet all the above requirements simultaneously:above requirements simultaneously:• Most DIDSes do not address robustness issueMost DIDSes do not address robustness issue• Software based IDSes cannot keep up with gigabit line ratesSoftware based IDSes cannot keep up with gigabit line rates • Hardware based solutions are lack of flexibilityHardware based solutions are lack of flexibility



A Proposed Solution• Network level: building a Secured DIDS Overlay using multipath for:

• both link and node resource optimization• fast failure recovery

Network-based IDS

Point-to-point multipath

Host-based IDS

Point-to-multipoint (multipoint-point) multipath



A Proposed Solution

• Node level: a hybrid solution for network-based IDS Node level: a hybrid solution for network-based IDS design:design: • Separation of string matching into header matching and Separation of string matching into header matching and

payload string matchingpayload string matching• Stateful and stateless header matching and load Stateful and stateless header matching and load

balancing are handled by a fully run-time programmable balancing are handled by a fully run-time programmable network processor at multigigabit ratenetwork processor at multigigabit rate

• Payload string matching is performed by a set of Payload string matching is performed by a set of traditional sensors at lower rates traditional sensors at lower rates

• A network-based IDS may operate in one of the two A network-based IDS may operate in one of the two modes: stealthy mode or inline modemodes: stealthy mode or inline mode



A Proposed Solution• Stealthy Mode: for intrusion detection onlyStealthy Mode: for intrusion detection only

tap

To Remote Sensors

Local Sensors

Traffic Manager Framer SerDes

TCAM Coprocessor

CPU

MEM

Line Card

• Inline Mode: for both intrusion detection and prevention Inline Mode: for both intrusion detection and prevention

To Remote Sensors

Local Sensors

Traffic Manager Framer SerDes

TCAM Coprocessor

CPU

MEM

Line Card

Network Monitored

Network Monitored

Network Processor

Network Processor

IDS Console

IDS Console



A Proposed SolutionIntel IXP 2800 Multigigabit Network Processor:Intel IXP 2800 Multigigabit Network Processor:• Micro-engines (MEs) can be configured to work in pipeline and/or parallelMicro-engines (MEs) can be configured to work in pipeline and/or parallel• Each ME runs its own micro-code and the micro-code can be swapped at run-time Each ME runs its own micro-code and the micro-code can be swapped at run-time • XScale Core maintains flow state and any other control plane functionsXScale Core maintains flow state and any other control plane functions



A Proposed SolutionA Four-Stage Configuration: A Four-Stage Configuration: • 11stst stage: one ME distributes packets evenly to the MEs in the 2 stage: one ME distributes packets evenly to the MEs in the 2ndnd stage stage• 22ndnd stage: a set of MEs performs stateful flow classification and load balancing stage: a set of MEs performs stateful flow classification and load balancing• 33rdrd stage: a set of MEs reorder the out-of-order packets received from the 2 stage: a set of MEs reorder the out-of-order packets received from the 2ndnd stage stage • 44thth stage: outgoing packets are scheduled based on their QoS requirements stage: outgoing packets are scheduled based on their QoS requirements

dispatcher

load balancersequencer scheduler



A Proposed Solution

Summary of the proposed solution: Summary of the proposed solution:

• It enhances the robustness, flexibility, and scalability of the It enhances the robustness, flexibility, and scalability of the existing DIDSesexisting DIDSes

• In the inline mode, the proposed IDS can also serve as a In the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion preventiondynamic firewall for intrusion prevention

• The run-time programmability of the proposed IDS is an The run-time programmability of the proposed IDS is an important capability which can be further exploited to build important capability which can be further exploited to build intelligent DIDS intelligent DIDS



Thoughts on Attack Identification

Two candidate techniques: Two candidate techniques: • Robust identificationRobust identification• Frequency domain analysisFrequency domain analysis

Two key components in a DIDS: Two key components in a DIDS: • Attack identificationAttack identification• Alert correlationAlert correlation




• A state-of-the-art robust identification technique A state-of-the-art robust identification technique developed by experts in Control Areadeveloped by experts in Control Area

• Problem Statement:Problem Statement:• Given:Given:

• a model of the plant under normal conditions Ga model of the plant under normal conditions Goo((λλ, , ∆∆oo) ) • failure dynamics failure dynamics GGii((λλ, ∆, ∆ii))• a bound a bound δδ on the measurement noise on the measurement noise• Uncertainty sets Uncertainty sets ∆∆ii

• N input/output experiment measurementsN input/output experiment measurements

• Determine: Determine: 1.1. Whether a fault has occurred Whether a fault has occurred 2.2. In that case, isolate it and determine its strengthIn that case, isolate it and determine its strength

• Can be used for both anomaly and misuse detections Can be used for both anomaly and misuse detections




• An immature thought on alert correlationAn immature thought on alert correlation• Frequency domain analysis may play an important Frequency domain analysis may play an important

role because: role because: • Power spectrum captures the relative strength of the Power spectrum captures the relative strength of the

correlated signals at different frequencies or timescalescorrelated signals at different frequencies or timescales• It is a mature research field and various tools are ready It is a mature research field and various tools are ready

availableavailable



Research Goal

• Research goal by the end of this summer: a detailed Research goal by the end of this summer: a detailed architecture of the proposed research with one of architecture of the proposed research with one of two possible outcomes: two possible outcomes: 1.1. A DIDS architecture with the proposed solution A DIDS architecture with the proposed solution

integrated with a new anomaly and misuse detection integrated with a new anomaly and misuse detection mechanismmechanism

2.2. A DIDS architecture that integrates the proposed A DIDS architecture that integrates the proposed solution with an existing DIDSsolution with an existing DIDS

• The outcome will serve two purposes: The outcome will serve two purposes: 1.1. A proposal for funding opportunitiesA proposal for funding opportunities2.2. The basis for the development of such a DIDSThe basis for the development of such a DIDS



Thanks!!!

Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005...

Documents

Transcript of Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005...