network intrusion detection systems #2

30
Network intrusion detection/prevention systems #2

Upload: peter-dulacka

Post on 04-Jul-2015

402 views

Category:

Technology


0 download

DESCRIPTION

Slides from the overview presentation about advanced methods and risks in intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.

TRANSCRIPT

Page 1: Network Intrusion Detection Systems #2

Network intrusiondetection/prevention systems

#2

Page 2: Network Intrusion Detection Systems #2

As seen in previous presentation…

Page 3: Network Intrusion Detection Systems #2

Signature-based analysis

• pattern matching

• “patterns of malicious traffic”

• very elementary (basically grepping)

+ huge community for rule generation

+ great for low level analysis (rules are very specific)

+ not taking too much resources

- lower performance with big ruleset

- slight attack variation can beat the rule

Page 4: Network Intrusion Detection Systems #2

Protocol-based analysis

• reviewing network data

• strictly based on layer headers

• knowledge of expected values

+ better possibility for scalability

+ generic, able to catch zero-day exploits

- protocol headers preprocessor need resources

- rules can get extremely difficult to write/understand

- provide low information, admin has to investigate

Page 5: Network Intrusion Detection Systems #2

TOC

• Shunting

• Risks of live data analysis

• Fast string-matching algorithm for NIDS

Page 6: Network Intrusion Detection Systems #2

Shunting

Page 7: Network Intrusion Detection Systems #2

Traffic analysis problems and solutions

• higher data rates every day

(everything needs to be analyzed)

• custom IDS hardware is put in place

(high cost, network structure change)

Page 8: Network Intrusion Detection Systems #2

What’s shunting?

• combination of HW and SW IPS

• running on simple commodity PC hardware

• HW element:

– several large state tables indexed by packet header fields

(TCP/IP flags, connection tuples, IP addresses)

Page 9: Network Intrusion Detection Systems #2

Packet work

• Every packet is being fast-checked by HW element; it can be– forwarded to the destination

– dropped completely

– “shunted” through IPS

• Table entries in HW element can be configured to– specify traffic to examine

– block malicious traffic

– cut through portions of traffic streams

Page 10: Network Intrusion Detection Systems #2

Shunting Example

• IPS monitoring SSH traffic

• New connection is opened

• Shunt fails to find entry in per-address (standard connections) or per-connection (encrypted connections) tables

• Traffic is diverted to IPS and analyzed

• Packets are dropped or injected back to network

Page 11: Network Intrusion Detection Systems #2

Shunting architecture

• Shunt’s tables work like a cache and by default, they’re read-only (table doesn’t update itself)

• Analysis engine (IPS) has to maintain connection states and also update Shunt tables

Page 12: Network Intrusion Detection Systems #2

Breakdown of the Traffic

Page 13: Network Intrusion Detection Systems #2

Shunt advantages

• Separation of policy and mechanism

• Keeping things simple (memory access limits per packet)

• Minimal need for buffering

• When set up properly, IDS can offload 55%-90% of all traffic

Page 14: Network Intrusion Detection Systems #2
Page 15: Network Intrusion Detection Systems #2

Analysis

• Live analysis

– using software present during investigated timeframe

– system is kept running

– admins are reviewing apps and logs

– relies on application that could have been modified to produce false data

• Dead analysis

– system is shut down

– image of HDD is made and analyzed in lab

Page 16: Network Intrusion Detection Systems #2

Murder in the Hotel Room…

Page 17: Network Intrusion Detection Systems #2

False Data - Rootkits

• inserts a filter in the data flow

• application level, user-mode level (needs to replace ls, find, du…)

• system libraries level

• kernel level

• system call level (via wrappers)

Page 18: Network Intrusion Detection Systems #2
Page 19: Network Intrusion Detection Systems #2

Rootkit Countermeasures

• Application level: trusted tools

• Library level: statically compiled trusted tools (some systems require dynamic libraries)

• Kernel rootkits: basic read calls instead of system calls

Page 20: Network Intrusion Detection Systems #2
Page 21: Network Intrusion Detection Systems #2

Live analysis future

• Use of specialized hardware for HDD images (so the dead analysis can be performed)

• Change of system design, isolation of software components

• Digital data precedence is to use dead analysis over live; If many computers are involved, live analysis can save time.

Page 22: Network Intrusion Detection Systems #2
Page 23: Network Intrusion Detection Systems #2

Introduction

• Based on SNORT ruleset

• Need for efficient algorithms

– complexity increases with number of patterns of various sizes in every ruleset

– case sensitivity might be involved

– rule patterns are ASCII chars (not fairly distributed), network traffic is binary data

– prioritization among signatures might be involved

Page 24: Network Intrusion Detection Systems #2

Overview

• Based on

– prefix sliding window (PSW)

– skip distance table (STD)

– rule hashing table (RHT)

• Compile time and runtime preprocessing

Page 25: Network Intrusion Detection Systems #2

Skip Distance Table

• “abc” string matching (0x61,0x62,0x63)

– range 0x000061-0xFFFF61 matched, shift 2, so 0x61???? can be evaluated

– range 0x006162-0xFF6162 matched, shift 1, so

– 0x6162?? can be evaluated

– etc…

Page 26: Network Intrusion Detection Systems #2
Page 27: Network Intrusion Detection Systems #2

Rule Hashing Table

• Designed for storing collision entries under one key

• Collisions are stored with prioritized linked list in Rule Status Table (RST)

Page 28: Network Intrusion Detection Systems #2
Page 29: Network Intrusion Detection Systems #2

Q&A

Page 30: Network Intrusion Detection Systems #2

Sources

• Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, and Chia-Nan Kao. 2004. A fast string-matching algorithm for network processor-basedintrusion detection system. ACM Trans. Embed. Comput. Syst. 3, 3 (August 2004), 614-633.

• Brian D. Carrier. 2006. Risks of live digital forensic analysis. Commun. ACM 49, 2 (February 2006), 56-61.

• Jose M. Gonzalez, Vern Paxson, and Nicholas Weaver. 2007. Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In Proceedings of the14th ACM conference on Computer and communicationssecurity (CCS '07). ACM, New York, NY, USA, 139-149.