Network intrusion detection/prevention systems #2
Network Intrusion Detection Systems #2
Jul 04, 2015
Slides from the overview presentation about advanced methods and risks in intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Network intrusiondetection/prevention systems
#2
As seen in previous presentation…
Signature-based analysis
• pattern matching
• “patterns of malicious traffic”
• very elementary (basically grepping)
+ huge community for rule generation
+ great for low level analysis (rules are very specific)
+ not taking too much resources
- lower performance with big ruleset
- slight attack variation can beat the rule
Protocol-based analysis
• reviewing network data
• strictly based on layer headers
• knowledge of expected values
+ better possibility for scalability
+ generic, able to catch zero-day exploits
- protocol headers preprocessor need resources
- rules can get extremely difficult to write/understand
- provide low information, admin has to investigate
TOC
• Shunting
• Risks of live data analysis
• Fast string-matching algorithm for NIDS
Shunting
Traffic analysis problems and solutions
• higher data rates every day
(everything needs to be analyzed)
• custom IDS hardware is put in place
(high cost, network structure change)
What’s shunting?
• combination of HW and SW IPS
• running on simple commodity PC hardware
• HW element:
– several large state tables indexed by packet header fields
(TCP/IP flags, connection tuples, IP addresses)
Packet work
• Every packet is being fast-checked by HW element; it can be– forwarded to the destination
– dropped completely
– “shunted” through IPS
• Table entries in HW element can be configured to– specify traffic to examine
– block malicious traffic
– cut through portions of traffic streams
Shunting Example
• IPS monitoring SSH traffic
• New connection is opened
• Shunt fails to find entry in per-address (standard connections) or per-connection (encrypted connections) tables
• Traffic is diverted to IPS and analyzed
• Packets are dropped or injected back to network
Shunting architecture
• Shunt’s tables work like a cache and by default, they’re read-only (table doesn’t update itself)
• Analysis engine (IPS) has to maintain connection states and also update Shunt tables
Breakdown of the Traffic
Shunt advantages
• Separation of policy and mechanism
• Keeping things simple (memory access limits per packet)
• Minimal need for buffering
• When set up properly, IDS can offload 55%-90% of all traffic
Analysis
• Live analysis
– using software present during investigated timeframe
– system is kept running
– admins are reviewing apps and logs
– relies on application that could have been modified to produce false data
• Dead analysis
– system is shut down
– image of HDD is made and analyzed in lab
Murder in the Hotel Room…
False Data - Rootkits
• inserts a filter in the data flow
• application level, user-mode level (needs to replace ls, find, du…)
• system libraries level
• kernel level
• system call level (via wrappers)
Rootkit Countermeasures
• Application level: trusted tools
• Library level: statically compiled trusted tools (some systems require dynamic libraries)
• Kernel rootkits: basic read calls instead of system calls
Live analysis future
• Use of specialized hardware for HDD images (so the dead analysis can be performed)
• Change of system design, isolation of software components
• Digital data precedence is to use dead analysis over live; If many computers are involved, live analysis can save time.
Introduction
• Based on SNORT ruleset
• Need for efficient algorithms
– complexity increases with number of patterns of various sizes in every ruleset
– case sensitivity might be involved
– rule patterns are ASCII chars (not fairly distributed), network traffic is binary data
– prioritization among signatures might be involved
Overview
• Based on
– prefix sliding window (PSW)
– skip distance table (STD)
– rule hashing table (RHT)
• Compile time and runtime preprocessing
Skip Distance Table
• “abc” string matching (0x61,0x62,0x63)
– range 0x000061-0xFFFF61 matched, shift 2, so 0x61???? can be evaluated
– range 0x006162-0xFF6162 matched, shift 1, so
– 0x6162?? can be evaluated
– etc…
Rule Hashing Table
• Designed for storing collision entries under one key
• Collisions are stored with prioritized linked list in Rule Status Table (RST)
Q&A
Sources
• Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, and Chia-Nan Kao. 2004. A fast string-matching algorithm for network processor-basedintrusion detection system. ACM Trans. Embed. Comput. Syst. 3, 3 (August 2004), 614-633.
• Brian D. Carrier. 2006. Risks of live digital forensic analysis. Commun. ACM 49, 2 (February 2006), 56-61.
• Jose M. Gonzalez, Vern Paxson, and Nicholas Weaver. 2007. Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In Proceedings of the14th ACM conference on Computer and communicationssecurity (CCS '07). ACM, New York, NY, USA, 139-149.
Related Documents
