Energy Consumption Simulation of Different Distributed Intrusion Detection Approaches

Energy Consumption Simulation of Different Distributed Intrusion Detection Approaches

Prof. Mauro Migliardi

Centro Ingegneria Piattaforme Informatiche (CIPI) University of Genoa and University of Padua

Via Opera Pia 13 16145 Genoa, Italy

[email protected]

Dr. Alessio Merlo E-Campus University

Via Isimbardi, 10 22060 Novedrate, Italy

[email protected]

ABSTRACT – The proliferation of wideband and Internet technologies in the last decade, has generated a significant growth of the risk of security threats hidden in single packets. This fact has lead ISP networks to the adoption of Intrusion Detection Systems, burdening the basic routing with packets inspection, in order to provide a secure connection service. Currently, packet analysis is provided by many ISPs but it has a high impact in term of performance and energy consumption; this makes the choice of the optimal IDS strategy both quite complex and a key issue. To this aim, IDS strategies have been deeply investigated in term of performance, however, the assessment of the energy consumption is generally unexplored. In this paper, we simulate different scenarios for distributed intrusion detection and we leverage an energy consumption model to evaluate the energy consumption caused by early or late discovery of rogue packets. Keywords- Green Networking, Distributed Intrusion Detection, Simulation, Evaluation

I. INTRODUCTION The Internet is one of the most explosive phenomena of the last decades. The number of connected users has grown enormously and similarly has grown the access bandwidth [1]. This evolution has opened the market to a wealth of new web based applications and generated a significant economic growth, however, it has also caused a massive growth of the internet traffic and it has provided a pervasive set of injection point for malicious network traffic. In fact, with the advent of pervasive broadband connections and the “always-on” use model, almost any home PC is both a target for intrusion attempts and a viable source of malicious attacks to other computers when drafted into a botnet. Furthermore, the growth of mobile access through smartphones and tablets, our reliance on mobile access to data for daily activities and business [2], and their vulnerability to coordinated attacks [3] makes

mobile access networks a critical component and another very interesting target for attacks. This fact has generated a new storm of network attacks that every day generates a non-negligible amount of network traffic. Furthermore, recent works on network threats ([4], [5], [6]) tend to suggest that the number of controlled nodes somehow participating to the malicious activities of a botnet is dramatically increasing. It is thus of paramount importance both to prevent malicious traffic packets at network layer from reaching their destinations in such a way that all network traffic is sanitized, and to remove such malicious traffic as soon as possible so that it does not squander network resources. Besides, this sanitization process has also the effect to prevent negative effects on higher layers security solutions for distributed applications (e.g. [7]). Intrusion Detection Systems (IDS) [9] aim at preventing the delivery of malicious traffic to targeted systems thus they can prevent damage at the end point of the attack and can foil attempts of drafting computers into a botnet. However, this level of protection has two limits. First, while an IDS may be able to prevent the attack targeting a host, if the host has been somehow compromised the IDS is generally not able of preventing the host from performing malicious actions such as participating in a distributed denial of service attack. Second, IDS are centralized solutions commonly positioned either on a single host or on very peripheral routers (i.e. the gateway between a LAN and the Internet), thus they do not provide any support to the task of reducing the amount of malicious traffic that daily roams the network actually reducing its effective capacity and wasting energy resources for routing packets that are bound to be discarded. For these reasons, some projects have fostered the evolution from solutions based on single IDS at network end-points toward an infrastructure dedicated to distributed analysis (Distributed IDS, or DIDS) where the analysis of packets could be performed along the routing path. The DIDS approach described in most past projects is targeted at designing methodologies allowing cooperation

2013 27th International Conference on Advanced Information Networking and Applications Workshops

978-0-7695-4952-1/13 $26.00 © 2013 IEEE

DOI 10.1109/WAINA.2013.214

1547

among traditional IDS to strengthen their capability to recognize distributed attacks. On this track, a dedicated Working Group of the IETF has written an RFC that defines the Intrusion Detection Message Exchange Format (IDMEF) [10]. Other projects, though, aimed at distributing the load of the intrusion detection process among the network nodes, and a fully distributed approach to intrusion detection has been proposed in [11] and [12]. All these studies have focused on cooperative strategies only from the effectiveness perspective; in fact their stated goal was to maximize the detection ratio while minimizing the event of false positives. However, effectiveness is not the unique aspect to take into account when dealing with DIDS; in fact, it is well known both that the energy consumption of network, cryptographic and security solution is a growing problem (see [8], [13] for some discussions on it), and, in particular, that all of IDS activities are computationally demanding and significantly energy consuming. Thus, in past works we have proposed a model dedicated to the evaluation of the energy consumption of routers in a core network with respect to the activities of routing and detection of bad packets. In this paper we leverage the mechanism proposed in [11], [12] and the model proposed in [14], [15] to simulate the energy leakage that is due to a late (i.e. not taking place on the first network node) discovery of bad packets in networks with different configurations for routing hardware and with different types of network traffic. This paper is structured as follows, in section II we provide a brief introduction to Intrusion Detection Systems; in section III we briefly summarize how the activities of an Intrusion Detection System could be parceled over several nodes; in section IV we provide a model for assessing the energy consumption of a distributed analysis; in section V we simulate several different scenarios and we evaluate the energy leakage due to late discovery of malicious traffic. Finally, in section VI we provide some concluding remarks.

II. INTRUSION DETECTION SYSTEMS Intrusion Detection Systems (IDSs) represents an important part of the information security field. Their specific goal is to detect unauthorized accesses to and operation into a protected system (the so-called intrusions) in order to allow the system to perform proper actions to grant the integrity and privacy of the system itself. Although there are different types on Network IDS (NIDS), it is generally possible to define two major categories based on how they perform the detection itself [16] [17]. Thus, we can divide the IDS in:

• Anomalies detectors; • Signature detectors.

The first category of NIDS bases its work on the principle that there is a model capable of describing the traffic that

transits over the network in a normal situation. This assumption leads to the conclusion that any traffic that cannot be described using the above mentioned model is abnormal and thus it is recognized as a malicious intrusion. The second category of NIDS bases its work on the same mechanism used by most virus control programs. They have a database of “signatures”, i.e. of patterns of bytes, which have been identified as distinctive of an intrusion attempt packet. These NIDS are capable of eliminating intrusion attempts before they have spread an infection, but they cannot detect new threats. Thus they could stop any known worm from spreading, but they are mostly impotent when a new threat appears. To enhance the robustness of this category of NIDS some implementations add “behavioral signatures”, i.e. they do not check just for a specific byte pattern in a packet, but they also check for unusual behavior [17].

III. DISTRIBUTED INTRUSION DETECTION There are many studies that present a distributed design for intrusion detection, among these we may cite, among the more recent ones, Hi-dra [18], DIPS and Intrusion Detection Force [19], All of these adopt an approach where detection is distributed but the decision and policy building is centralized. Starting from a different approach, the main idea behind the Distributed Intrusion Detection scheme described in [11] and [12] is that every network node involved in packet routing/switching may perform a portion of the search for malicious packets on the traffic that flows through it, while the remaining portion of the analysis is delegated to the nodes further along the path. Thus, the load of detecting intrusion attempts among all the packets flowing from node A to node B is divided among a subset (that may coincide with the whole) of the nodes along the path. There are two fundamental assumptions at the basis of this. The first assumption is that a node can be modeled as a selector: each packet in an input queue has to be processed to select the correct output queue. The length of the input is a measure of the load of the router from a processing point of view, while the length of the output queue is independent from the processing load of the node. A second fundamental assumption is that the process of detecting an intrusion can be modeled as a visit to a Directed Acyclic Graph (DAG). This assumption derives from the analysis of the internal structure of one of the most diffused signature detection software, namely SNORT [20]. According to its characteristics and network level option each packet navigates the DAG to be matched against the different misuse signatures. When a match is found the packet is tagged as bad. If no match is found the packed is tagged as legitimate. We assume that the navigation of the DAG may be suspended and resumed at a later stage, thus a router may tag a partially checked packet

1548

with the current position in the DAG to allow a following router to resume the checking activity. On the basis of these assumptions, there are two different flavors of the algorithm to select the portion of traffic to be checked in each node. The first methodology tries to advance as much as possible in the intrusion detection check of every packet in the input queue. Each packet has an intrusion detection time quantum (IDQ) that is calculated on the basis of the router current load. The second methodology tries to complete the control of as many packets as possible. At each intrusion detection step, the router calculates how much Slack Time (ST) he has given the current state of its input queue. Once the ST has been calculated, the router performs the complete intrusion detection analysis of as many packets as he can in ST time. The packets detected as bad are discarded; the other checked packets are tagged as legitimate. Obviously, if the value of ST allows performing the complete intrusion detection analysis of a packet, this analysis is performed in steps of IDQ length to prevent lock up of the packet forwarding. Once the amount of complete analysis has been performed a new ST value is computed. The check of the remaining packet is delegated to routers in future hops. At this point the router does not engage itself in further intrusion detection activities until it has routed IQL (as measured at the previous detection step) packets. For further details about the workload distribution mechanism and the communication protocols involved see [11] and [12].

IV. A GENERAL MODEL FOR ENERGY CONSUMPTION IN DISTRIBUTED PACKET

ANALYSIS In this section we briefly introduce the general model for describing the energy consumption in a distributed intrusion detection system that has been fully described in [14].

A Core Network (as opposed to an Access Network) of an Internet Service Provider (ISP) can be modeled as a set of connected nodes. Each node supports different operations among which we are interested in packet forwarding, storing and analysis. A packet reaching a boundary node (nodes A, B, C, D, E, F, G in Figure 1) in the network is then forwarded through the nodes to another boundary node (e.g. node G in Figure 1), towards its destination. It is obvious that each operation inside the network has an energy cost. However, we are interested in modeling the energy consumptions related to the intrusion detection analysis, to packet routing and delivery and the interaction of the two. Thus, we ignore any other cost such as, for instance, costs caused by network management. In our model the core network is a set of links and nodes, connected in any topology. As the basic function of the nodes is routing packets toward their destination, we will assume that all of the nodes are routers with additional intrusion detection capabilities. Thus, we indicate with ���� � ����� the set of routers in the core network and with ���� � � ��� the set of links (hops) between routers. As remarked, an IDS like SNORT [20] divides the analysis of a packet into a set of independent analysis unit (au), such that, as shown in [11] and [12], the analysis of a packet can be carried out by different routers along the path to the destination. Given ��� � ��� the set of all possible analysis unitsof an IDS, we define a single packet pi as the ordered sequence of analysis units that the IDS should execute for its security assessment: �� � ����� ���� � � ����

�, where ��� � ���. We identify the packet in terms of analysis units only; as a consequence, two packets in the network that requires to be analyzed by the IDS through the same sequence of units are considered identical. Any subsequence of a packet is thus considered a packet. Thus, we refer to any sequence of analysis unit as a packet. We assume that (1) the whole sequence of analysis units should be executed by the IDS in order to flag the packet as good or bad and that (2) the analysis units must be executed orderly, namely ��� should be executed before������.

The execution of each analysis unit has an energy cost. Thus, we associate an energy value !"#to the analysis unit auj. Thus, we define the energy cost (limited to the Intrusion Detection analysis) for packet pi as:

1. $� � % !"#���&�

Analysis units are executed on routers. With the previous definition of packet, we model a router as a packet consumer. More in detail, given a packet �� �

����� ���� � � ����� entering a router, the router processes

the first part of the analysis sequence (e.g.

Figure 1 Routers in an Internet Service Provider Core Network

1549

����� ���� � � ���'� for some j’) and forwards the remaining sequence (i.e. the packet�����'��� ���'��� � � ����

�) to some neighbor. Since the main goal of each node in the core network is to deliver a packet to its destination without introducing an excessive latency, only a part of the node capability can be used for intrusion detection purposes in any moment. Furthermore, the size of this part may change over time, depending on the workload of the router. Hence, we indicate with () the amount of energy that, in a given moment, the IDS on router ��can use for analyzing the content of a packet. Therefore, given a packet �� , the number of consecutive analysis units that the router can process is provided by the

maximum value ��()� such that () * �% !"#

!"+)�

�&�. We

refer to ��()� as the number of analysis units that the router

�� can process for the packet ��in a given moment. Besides the energy used for the analysis, it is necessary to take into account also the energy used for the routing of the packet from the entrance point (router A in Figure 1) to the exit one (router G in Figure 1). Given the set of links (���� � � ���) and a packet �� , we tag each link in LSet with a value ,-

� , thus we may define the whole energy consumption of the activity of forwarding the packet��on that link. Note that the activity of the router (both analysis and forwarding) has no effects on the dimension of the packet. For this, from delivery perspective, the packet is recognized as invariant during its travel through the ISP. As a consequence, the energy cost of delivery is independent from the order of the links. Thus, given a subset of L links ./ 0 ����, that connect A to B, we define the energy cost of forwarding the packet ��along such path as:

2. 12 � % ,-�/

�&� for � ./

The total energy consumption for packet analysis and routing in an ISPN with IDS analysis is globally defined as:

3. 343� � $� 5 12 � �% !"#���&� 5 % ,-

�/�&�

V. SIMULATION OF ENERGY CONSUMPTION

IN DIFFERENT NETWORK SCENARIOS In this section we leverage the model previously described to simulate different use cases in a hypothetical ISP core network. In our simulations we have considered two simple topologies, namely star topology and a randomly generated topology. In these two topologies we have inserted a variable number of routers from 100 to 2000. The power consumption of routing nodes has been modeled similarly to the power consumption of a computational server, i.e., a fixed overhead plus a quantity proportional to the load (see Figure 2). This model has already been adopted and proved effective in past research works [21][22]. It is important to notice that, although the current generation of routing devices shows almost always a flat line where the power consumption has a negligible dependency from the current traffic, many recent works and research projects [23], [24] show that next generation devices will be capable of throttling energy consumption according to traffic requirements. Thus in our simulation we adopt a consumption graph that is closer to the one used for computational nodes. More in details we associate a different costs for the idle state (i.e. A=1 in Figure 2), the full load state (i.e. C=11 in Figure 2) and a max routing capacity per simulation step (i.e. B=4 in Figure 2). We also assume that the cost for completing the intrusion detection analysis on a packet is N times the cost of routing a packet, with different values of N (we include in routing cost also the actual transmission over the link). We injected in each of the two network topologies flows from 100000 to 1M packets with different percentage of malicious packets (from 0% to 100%). As described in section 3, each routing node dedicates to intrusion detection only the amount of resources that is not required to forward the packets in the input queue. Furthermore, as soon as a packet is tagged as malicious it is discarded, while as long as its analysis is not completed or if it has been tagged as good, it is routed toward the destination according to a shortest path algorithm. Figure 3 shows the values of energy consumption for tests with 1000 routers, A=1, C=11, B=4 and 100K packets. The energy consumption that corresponds to non-malicious packets it’s also the value for the case when intrusion detection is performed at the destination, in fact, the cost for the analysis itself is still the same and there are no packets discarded before they reach the destination. When the percentage of malicious packets grows, it also grows the amount of energy that is saved by early discovery and discarding of them. The total cost, however, is always larger than the simple cost of

Figure 2 Network node power consumption

model

B max load

C max

Routing Load

Energy

A

1550

analysis (number of packets times the cost because the network nodes perform analthey are not fully loaded. The star topology is intrinsically more conrandom one, thus, the nodes may dedicatethe analysis of the packets. On the contrarthe random topology have a lower level ofmore energy to dedicate to aggressive intrThis fact makes the energy savings fotopology (see Figure 3a) more significant tthe star topology (see Figure 3b).

VI. CONCLUDING REMAIn this paper we have described a methodollowering the energy consumption in cordiscarding malicious packets as soon as poreducing the traffic that has to be routed More in details, we have leveraged the enermodels described in [21] and [14] to performing aggressive distributed intrusiodescribed in [11] and [12] it is possible to traffic thus ultimately reducing the energNetwork routing devices of the current gesupport modulation of energy consumption level of traffic; however, we have simulatexample scenarios adopting an energy monodes that is based on the projections and current green networking projects [25]. Oshow that it is possible to reduce the energynetworks by early discarding of malhowever, there is a significant depenpercentage of malicious packets among thethe level of energy consumption for idle apthe steepness of the growth of consumptiontraffic. At present, we have no reference imuse for more detailed simulations; however,

a) Figure 3 Graphical representation o

of the analysis) ysis only when

ngested than the e little energy to ry, the nodes in f congestion and rusion detection. for the random than the one for

ARKS logy that aims at re networks by ossible and thus and forwarded.

rgy consumption show that by

on detection as reduce network

gy consumption. eneration do not according to the

ted some simple odel for network

expectations of Our simulations

y consumption of icious packets;

ndency on the e traffic flow, on pparatus and on n in presence of

mplementation to , the preliminary

results show that the methodology the evolutionary trends shown in rnetworking are confirmed in the ne

REFERENC[1] Androutsos, A., Access link ba

and endogenous Internet growtapproach. Int. J. Network Mgmdoi: 10.1002/nem.771

[2] Hequan Wu, "Some thoughts oinformation and communicatioTechnologies Beyond 2020 (TTechnology Time Machine Sypp.1, 1-3 June 2011

[3] Traynor P., Lin M., Ongtang MMcDaniel P., and La Porta T., measuring the impact of maliccellular network core, in Proceconference on Computer and c(CCS '09). ACM, New York, N

[4] Leder F., Werner T., Martini PCountermeasures - An Offensi1st CCDCEO Conference on CEstonia, June 17–19, 2009.

[5] Paganini P., Botnet around UsMatrix?, The Hacker News AuOctober 7th 2012 from http://news.thehackernews.com

[6] A.a.V.v., McAfee Threats Repretrieved on October 7th 2012 fhttp://www.mcafee.com/us/resquarterly-threat-q1-2012.pdf

[7] Merlo A., Secure Cooperative Grid, in Future Generation Com

b)

of energy consumption a) star topology and b) random top

may become practical if ecent papers about green

ext generation devices.

CES andwidth externalities th: a long-run economic

mt., 21: 21–44, (2011).

on the transformation of on technologies,"

TTM), 2011 IEEE ymposium on , vol., no.,

M., Rao V., Jaeger T., On cellular botnets: ious devices on a

eedings of the 16th ACM communications security NY, USA, 223-234. P., Proactive Botnet ive Approach, Proc. of Cyber Warfare, Tallinn -

: Are we nodes of the ugust 2012, retrieved on

m/THN-August2012.pdf port, first Quarter 2012, from sources/reports/rp-

Access Control for the mputer Systems,

pology

1551

Elsevier, Vol. 29, no. 2, pp. 497-508 February 2013; http://dx.doi.org/10.1016/j.future.2012.08.001.

[8] Gasti, P.; Merlo, A.; "On Re-use of randomness in broadcast encryption, Proc. of the Ninth Annual International Conference on " Privacy, Security and Trust (PST), pp.36-43, 19-21 July 2011. doi: 10.1109/PST.2011.5971961

[9] Mukherjee B., Heberlein L.T., Levitt K.N., "Network intrusion detection," Network, IEEE , vol.8, no.3, pp.26-41, May/Jun 1994

[10] Debar H., Curry D., Feinstein B., “The Intrusion Detection Message Exchange Format (IDMEF)”, rfc 4765, March 2007, http://www.ietf.org/rfc/rfc4765.txt

[11] Migliardi M., Stringhini G., A Distributed Model for Intrusion Detection and Prevention, Proc. of the WWW/Internet 2009 International Conference, Rome, Italy, November, 19-22, 2009.

[12] Migliardi M., Stringhini G., Travelling Information For Intrusion Prevention Systems, Proc. of the 2010 International Conference on Security and Management, Las Vegas, Nevada, USA, July 12-15, 2010.

[13] Van Heddeghem W., Vereecken W., Pickavet M., Demeester P., Energy in ICT - Trends and research directions, Proc. Of the IEEE 3rd International Symposium on Advanced Networks and Telecommunication Systems (ANTS), New Delhi, 14-16 Dec. 2009.

[14] Merlo A., Migliardi M., Modeling the energy consumption of an IDS: a step towards Green Security, Proc. of the IEEE Conference on Information Systems Security, Opatija (HR), 23-27 May 2011.

[15] Luca Caviglione, Alessio Merlo, Mauro Migliardi, What Is Green Security?, Proc. of the 7th International Conference on Information Assurance, Malacca (Malaysia) 5 - 8 Decembre 2011, pgg. 366-371

[16] Axelsson S.; “Intrusion Detection Systems: A Survey and Taxonomy”, In Seminars at Multimedia Networking Research Laboratory (MNLAB), School of Computer Science, DePaul University, April 2003.

[17] Hwang K., Cai M., Chen Y, Qin M., “Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes”; IEEE Transactions on

Dependable and Secure Computing, Volume 4, Issue 1, Jan.-March 2007 Page(s):41 – 55

[18] Kemmerer R.A., Vigna G., Hi-DRA: Intrusion Detection for Internet Security, Proceedings of the IEEE, Volume 93, Issue 10, Oct. 2005 Page(s):1848 – 1857.

[19] Haslum K., Abraham A., Knapskog S., DIPS: A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment, Third International Symposium on Information Assurance and Security, 29-31 Aug. 2007 Page(s):183 – 190.Teo L., Zheng Y., Ahni G-J., “Intrusion Detection Force: an infrastructure for Internet-scale intrusion detection” ,In Proceedings of IWIAS 2003. First IEEE International Workshop on Information Assurance , 24 March 2003 Page(s):73 – 86

[20] Casewell B. and Beale J., SNORT 2.1, Intrusion Detection, second ed. Syngress, May 2004

[21] X. Fan, W.-D. Weber, and L.A. Barroso, “Power Provisioning for a Warehouse-Sized Computer”, In Proceedings of the ACM International Symposium on Computer Architecture, San Diego, CA, Jun. 2007.

[22] Peterson, B.; Ricciardi, S.; Nin, J.; , "Energy-Efficiency and Security Issues in the Cisco Nexus Virtual Distributed Switching," Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2012 Sixth International Conference on , vol., no., pp.552-557, 4-6 July 2012

[23] Reforgiato, D.; Lombardo, A.; Davoli, F.; Fialho, L.; Collier, M.; Donadio, P.; Bolla, R.; Bruschi, R.; , "Exporting data-plane energy-aware capabilities from network devices toward the control plane: The Green Abstraction Layer," Networks and Optical Communications (NOC), 2012 17th European Conference on , vol., no., pp.1-6, 20-22 June 2012

[24] Bolla, R.; Bruschi, R.; Lombardo, C.; Suino, D.; , "Evaluating the energy-awareness of future Internet devices," High Performance Switching and Routing (HPSR), 2011 IEEE 12th International Conference on , vol., no., pp.36-43, 4-6 July 2011

[25] Aa.Vv., Econet (low Energy COnsumption NETworks), https://www.econet-project.eu/

1552