network intrusion detection systems #2
DESCRIPTION
Slides from the overview presentation about advanced methods and risks in intrusion detection/prevention systems presented at Security in Internet course at Faculty of Informatics and Information Technology. Presentation is part of the course assignment.TRANSCRIPT
Network intrusiondetection/prevention systems
#2
As seen in previous presentation…
Signature-based analysis
• pattern matching
• “patterns of malicious traffic”
• very elementary (basically grepping)
+ huge community for rule generation
+ great for low level analysis (rules are very specific)
+ not taking too much resources
- lower performance with big ruleset
- slight attack variation can beat the rule
Protocol-based analysis
• reviewing network data
• strictly based on layer headers
• knowledge of expected values
+ better possibility for scalability
+ generic, able to catch zero-day exploits
- protocol headers preprocessor need resources
- rules can get extremely difficult to write/understand
- provide low information, admin has to investigate
TOC
• Shunting
• Risks of live data analysis
• Fast string-matching algorithm for NIDS
Shunting
Traffic analysis problems and solutions
• higher data rates every day
(everything needs to be analyzed)
• custom IDS hardware is put in place
(high cost, network structure change)
What’s shunting?
• combination of HW and SW IPS
• running on simple commodity PC hardware
• HW element:
– several large state tables indexed by packet header fields
(TCP/IP flags, connection tuples, IP addresses)
Packet work
• Every packet is being fast-checked by HW element; it can be– forwarded to the destination
– dropped completely
– “shunted” through IPS
• Table entries in HW element can be configured to– specify traffic to examine
– block malicious traffic
– cut through portions of traffic streams
Shunting Example
• IPS monitoring SSH traffic
• New connection is opened
• Shunt fails to find entry in per-address (standard connections) or per-connection (encrypted connections) tables
• Traffic is diverted to IPS and analyzed
• Packets are dropped or injected back to network
Shunting architecture
• Shunt’s tables work like a cache and by default, they’re read-only (table doesn’t update itself)
• Analysis engine (IPS) has to maintain connection states and also update Shunt tables
Breakdown of the Traffic
Shunt advantages
• Separation of policy and mechanism
• Keeping things simple (memory access limits per packet)
• Minimal need for buffering
• When set up properly, IDS can offload 55%-90% of all traffic
Analysis
• Live analysis
– using software present during investigated timeframe
– system is kept running
– admins are reviewing apps and logs
– relies on application that could have been modified to produce false data
• Dead analysis
– system is shut down
– image of HDD is made and analyzed in lab
Murder in the Hotel Room…
False Data - Rootkits
• inserts a filter in the data flow
• application level, user-mode level (needs to replace ls, find, du…)
• system libraries level
• kernel level
• system call level (via wrappers)
Rootkit Countermeasures
• Application level: trusted tools
• Library level: statically compiled trusted tools (some systems require dynamic libraries)
• Kernel rootkits: basic read calls instead of system calls
Live analysis future
• Use of specialized hardware for HDD images (so the dead analysis can be performed)
• Change of system design, isolation of software components
• Digital data precedence is to use dead analysis over live; If many computers are involved, live analysis can save time.
Introduction
• Based on SNORT ruleset
• Need for efficient algorithms
– complexity increases with number of patterns of various sizes in every ruleset
– case sensitivity might be involved
– rule patterns are ASCII chars (not fairly distributed), network traffic is binary data
– prioritization among signatures might be involved
Overview
• Based on
– prefix sliding window (PSW)
– skip distance table (STD)
– rule hashing table (RHT)
• Compile time and runtime preprocessing
Skip Distance Table
• “abc” string matching (0x61,0x62,0x63)
– range 0x000061-0xFFFF61 matched, shift 2, so 0x61???? can be evaluated
– range 0x006162-0xFF6162 matched, shift 1, so
– 0x6162?? can be evaluated
– etc…
Rule Hashing Table
• Designed for storing collision entries under one key
• Collisions are stored with prioritized linked list in Rule Status Table (RST)
Q&A
Sources
• Rong-Tai Liu, Nen-Fu Huang, Chih-Hao Chen, and Chia-Nan Kao. 2004. A fast string-matching algorithm for network processor-basedintrusion detection system. ACM Trans. Embed. Comput. Syst. 3, 3 (August 2004), 614-633.
• Brian D. Carrier. 2006. Risks of live digital forensic analysis. Commun. ACM 49, 2 (February 2006), 56-61.
• Jose M. Gonzalez, Vern Paxson, and Nicholas Weaver. 2007. Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In Proceedings of the14th ACM conference on Computer and communicationssecurity (CCS '07). ACM, New York, NY, USA, 139-149.