Upload File

raid2005 cardguard: towards software-based signature detection for intrusion prevention on the...

  • Home
  • Documents
  • RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by
17
RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by Willem de Bruijn

Upload: oswald-daniels

Post on 30-Jan-2016

222 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

CardGuard:

Towards software-based signature detectionfor intrusion prevention on the network card

Herbert Bos and Kaiming Huangpresented by Willem de Bruijn

Page 2: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

IDS is insufficient

intrusion prevention is preferable over detectionactive guardingnullifies evasion & insertion attemps

but, prevention problematic at traditional firewallsperformance issueslack of knowledgeinternal nodes expected saferigid, leading to circumvention

Page 3: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

Move IPS to the edge

using a software based solutionon the network card

full payload scanning ,at line-rate*

to create a (crude) cost-effective local IPS

CardGuard implements

Page 4: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

IntroductionArchitecture

ImplementationResults

Page 5: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

distributed firewalling

signature detection is easier at the network edge

can overwhelm CPU69Mbps max on 1.8 Ghz P4

a solution is to offload to the NIC: unobtrusive & difficult to subverge

Page 6: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

Network Processors

Programmable NICs that combinecheap software with fast hardware

they contain ●stream processors●asynchronous memory●hardware assist (e.g., CAM)

Page 7: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

Efficient Pattern Matching

snort ruleset >28.000 pattern-based rulesrequires parallel processing

Aho Corasickpattern-matching algorithm

single-passcomplexity independent of #patterns

Page 8: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

Aho Corasick Example

a deterministic finite automaton (DFA)for the Slammer wormidentifies 5 different patterns

Page 9: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

IntroductionArchitecture

ImplementationResults

Page 10: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

IXP1200

PCI daughterboardor stand-alone box

two 1Gbps ports6 stream µEngines

4 HW threads/engine1 StrongARM CPU @ 200MhzIXP 2XXX

Page 11: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

software mapping

Cp

RxTx ToE

AC

AC

ToE

RegEx=

Page 12: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

Flow handling

TCP reconstruction light:basic flow-accountingdatastream sanitisation

Out-of-order handling:put on hold, ortwo-pass scan

CpRx ACToE

TxCp ACToE

Page 13: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

efficient memory use

size

latency Scratch, 16KB, 12..14 cycles

SRAM : 8 MB , 16..20 cycles

SDRAM : 256 MB , 30...40 cycles

Istore, 1KB, 1 cycle

Registers, 512B, 1 cycle; shared

inline DFA

in-memory DFA

memory access is the bottleneck

Page 14: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

IntroductionArchitecture

ImplementationResults

Page 15: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

inline DFA

in-memory DFA

inline in-memory0

100

200

300

400

500

600

700

800

900

cost of 10 state-transitionsReg SDRAM

#cy

cles

Page 16: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

benchmarks

64 300 600 900 1200 15000

10000

20000

30000

40000

50000

60000

packetsize

cycl

es

processing costs scale linearly with datarate, not packetrate

Full TCP scan sustainable at 100Mbit

Page 17: RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by

RAID2005

conclusions

intrusion prevention is feasible at the network edgeNP-based solutions are cheap and unobtrusive

caveatCardGuard is only a crude prototype

lacks a sophisticated management plane


IDIOGRAMS OF YAK (BOS GRUNNIENS), CATTLE (BOS TAURUS

Intrusion Detection & Intrusion Prevention Systems

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion

Guided Image Filtering - Kaiming Hekaiminghe.com/eccv10/eccv10ppt.pdfGuided Image Filtering Kaiming He Jian Sun Xiaoou Tang The Chinese University of Hong Kong Microsoft Research Asia

Intrusion Investigation and Post-Intrusion Computer ... · PDF fileINTRUSION INVESTIGATION AND POST-INTRUSION ... detection, and response and ... Intrusion Investigation and Post-Intrusion

Naar het bos ! naaldbos loofbos gemengd bos bos met naaldbomen bos met loofbomen bos met naald - en loofbomen

Intrusion Dection System and Intrusion Remedies

The Starfish System: Providing Intrusion Detection and Intrusion

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

An Intrusion Detection Model Based Upon Intrusion Detection

Christoph Feichtenhofer Haoqi Fan Jitendra Malik Kaiming ... · Christoph Feichtenhofer Haoqi Fan Jitendra Malik Kaiming He Facebook AI Research (FAIR) Abstract We present SlowFast

Effective Value Intrusion Detection Datasets Intrusion ...users.cis.fiu.edu/~lpeng/Intrusion/2.pdfmining. In intrusion detection systems (IDSs), the data mining techniques are useful

1 INTRUSION ALARM TECHNOLOGY INTRO TO INTRUSION ALARM

CRIOTOLERÂNCIA DE EMBRIÕES BOS TAURUS INDICUS E BOS

Modern Intrusion Practices Modern Intrusion Practices - Black Hat

Intrusion Detection Systems and Intrusion Prevention Systems

Clasificacion bos taurus y bos indicus

Intrusion Detection • Principles • Models of Intrusion ...muratk/courses/dbsec12f_files/Intrusion... · • Models of Intrusion Detection • Architecture of an IDS ... insert

Bos indicus e Bos taurus

enablebih.orgenablebih.org/doc_PPDM_STEM/STEM/BOS/ONPP BOS/BOS-ONPP-FIZ.pdfenablebih.org

BOS-1SM BOS-1-1/2SM - Truper

Van tijdelijk bos naar permanent bos - probos.nl · Van tijdelijk bos naar permanent bos Patrick A.G. Jansen Wageningen, april 2004

Dr. Kaiming Ye - Binghamton University · Dr. Kaiming Ye Professor & Department Chair Biomedical Engineering Director, Center of Biomanufacturing for Regenerative Medicine Contact

OS support for (flexible) high-speed networking Herbert Bos Vrije Universiteit Amsterdam uspace kspace nspace u k n monitoring intrusion detection packet

Razas Bos Indicus y Bos taurus

Intrusion Detection Sven Diesendorf INF02. Übersicht 1 Einführung Intrusion Intrusion Detection Firewall und Intrusion Detection System 2 Technik Aufbau

Intrusion Tolerance Mete GELEŞ. Overview Definitions(Fault, intrusion) Dependability Intrusion tolerance concepts Intrusion detection, masking,

Network Intrusion Forensic Analysis Using Intrusion Detection … · Network Intrusion Forensic Analysis Using Intrusion Detection System . Manish Kumar. 1. Asst. professor, ... Abstract:-

SNIPER IPS-G V8.0 Security Target - Common Criteria · SNIPER IPS, Network based intrusion detection, intrusion analysis, intrusion response, intrusion prevention system, information

Intrusion Detection Bosch Security Systems Inc. - Anixter Security... · Intrusion Detection Bosch Security Systems Inc. ... •Alarm retransmission Detectors;Intrusion/3096 ... Intrusion

Deep Residual Learning - Kaiming Hekaiminghe.com/...deep_residual_learning_kaiminghe.pdf · Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. “Deep Residual Learning for Image

SIMPLE WEIGHT MODULES OVER WEAK GENERALIZED WEYL …mazor/PREPRINTS/KAIMING/wgwa.pdf · Introduction and description of the results ... 2 RENCAI LU, VOLODYMYR MAZORCHUK AND KAIMING

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from

Bos taurus vs. Bos indicus

Intrusion Prevention Intrusion Prevention for for Service