Presentation - University of Windsor
Download
Report
Transcript Presentation - University of Windsor
Efficient and Effective Architecture for
Intrusion Detection System
Prepared by
Ashif Adnan, Omair Alam, Akhtaruzzaman
School of Computer Science
University of Windsor
ON, Canada
Outline
Introduction
Motivation
Goal
Related works
Our observations
Conclusion
Acknowledgment
References
Introduction
Ubiquitous computing environment
Intrusion Detection Systems
Misuse based
Anomaly based
Intrusion determination
False positive
False negative
Intrusion detection rules
Proactive intrusion detection
Motivation
Tremendous growth of network
More availability of information
Need for information security
Growing importance of IDS
Lack of efficiency in data collection
Inefficiency and inaccuracy in analyzing attacks
Complexity in rules checking
Goal
Effective,
Efficient and
Secured Intrusion Detection System
Related works
New Approaches to Data Collection, Management and
Analysis for IDS
Basic concept used was SMASH
SMASH – A Secure Monitoring System for Information Assurance, Analysis
and survivability of Network Hazards.
Basic need for implementing SMASH was Network Security.
The analysis will help reduce false positives and false negative
determinations of intrusions
Related works (cont’d)…Data Collection, Management and Analysis
Requirements for implementing SMASH sensors
Low cost
No extreme bandwidth requirements
Flexible
Scalable
Wireless networks fulfills all of these
requirements
Additional advantage that sensors can be moved
without disruption of the operational network
Related works (cont’d)…Data Collection, Management and Analysis
Features of Gumstix used
It is a miniature computer which comes preloaded with
Linux operating system.
A 400 MHz processor
NetCf stick, which combines a 100Mbps Ethernet
interface with a compact flash card adapter
A compact flash wireless card
It measures only 4” long by ¾” wide and ½”
thick.
The motherboards measure 80 mm x 20 mm x
6.3 mm.
Related works (cont’d)…Data Collection, Management and Analysis
Figure 1: Gumstix Computers
Figure 2: Gumstix Motherboard
Graphic Reference: http://www.gumstix.com/
Related works (cont’d)…Data Collection, Management and Analysis
Collecting Data using Gumstix
Setting up the network
Sensor(Gumstix) as the sniffer
A central management system
Network monitoring software such as Tcpdump
IDS application such as Snort
Java application using socket programming
Related works (cont’d)…Data Collection, Management and Analysis
Figure 3: Gumstix Network Setup
Related works (cont’d)…Data Collection, Management and Analysis
Managing Data over Wireless
Key issue- Communication with the controlling workstation
If the sensor undergoes DDOS attack, then its ability to send
the data back to the controller may have become
compromised.
So the best solution is to make the sensor communicate with
the management station on a dedicated, isolated network.
But an additional wired network becomes unmanageable, so a
wireless network is used.
Related works (cont’d)…Analysis of the design
Analyzing data with Data Fusion and Data Mining
Techniques
Data Fusion, is generally defined as the use of techniques that
combine data from multiple sources and gather that
information in order to achieve inferences, which will be more
efficient than if they were achieved by means of a single
source.
Data Mining is the principle of sorting through large amounts
of data and picking out relevant information.
The combination of data fusion and data mining techniques has
the greatest potential to solve a major drawback of IDS: the
unacceptable numbers of false positives and false negatives.
Related works…cont’d
High throughput string matching architecture for IDS/IPS
IDS/IPS requirements
Worst Case Performance
Non-Interrupting Rule Update
High Throughput per Area
Related works (cont’d)…String matching architecture
String Matching Engine
String is broken down into a set of small state machine
Hierarchical architecture
Highest level is the full device
Each device holds the entire set of strings
Reads character in every cycle
Computes the set of matches and reports
Devices can be replicated
Related works (cont’d)…String matching architecture
Figure 4: The String Matching Engine of the High Throughput Architecture [2]
Related works (cont’d)…String matching architecture
Support for Non-interrupting Update
Automated systems are used
Faster than old FPGA (Field-programmable gate array )
based techniques
Figure 5: Non-interrupting update support [2]
Related works (cont’d)…Analysis of the design
Theoretical optimal partitioning
For a set of strings S each with L characters per string, the
total number of bits the architecture requires is
Tn,g = n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
Where n is number of state machine per rule module and g is the group size.
n
Fanout
Storage in bits Tn,g
2
16
n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
4
4
n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
8
2
n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
Table 1: Optimal module size [2]
Related works (cont’d).. Analysis of the design
Throughput analysis
Description
Throughput
(Gbps)
Char/Area
(1/mm2)
Notes
Bit Split FSM
(Group Size 16)
10.074
9.759
9.326
55.219
72.592
156.569
Bank size 64B
Bank size 128B
Bank size 256B
Sourdis and Pnevmatikatos
Pre-decoded CAMs
9.708
4.913
23.482
22.682
4B/cc, Virtex2-6000
4B/cc,Spartan3-5000
Hutchings et al.
Regular Expressions
0.248
0.400
32.496
32.496
1B/cc, Virtex-1000
1B/cc, Virtex-1000
…….
……..
…….
…….
Table 2: Detailed Comparison of the Bit Split FSM Design and existing FPGA-based Designs [2]
Related works
Utilizing fuzzy logic and neural network for IDS in
wireless environment
Current IDS
No correlation between Host-base IDS and Network-base
IDS
Database need to be update frequently for missed attack
Log file need to be analyze for a long period of time
A problem with Anomaly Detection is that a user over time
can train the system to accept anomalous behavior as
normal, by slowly adding to the attack
Related works (cont’d)…Fuzzy logic and neural network
Difference
Figure 6: Comparison between Traditional and Alternative Misuse Detection [3]
Related works (cont’d)…Fuzzy logic and neural network
NeWPAIM-W2 Model
Figure 7: General Representation of NeGPAIM-W2 [3]
Related works (cont’d)…Fuzzy logic and neural network
The Fuzzy Engine
The fuzzy engine is one of the two low-level processing
units of NeGPAIM-W2 and will process the input data.
This engine is responsible for implementing the Misuse
Detection methodology.
The fuzzy engine will compute a template firstly, and the
user action graph will be mapped against it to determine
whether or not a user (intruder) has been, or is
performing an intrusion attack.
Related works (cont’d)…Fuzzy logic and neural network
Neural Engine
Second low level processing engine
Its also process input data
This engine will process the data and search through it
for patterns of abnormal user behaviors that may be
occurring.
Related works (cont’d)…Fuzzy logic and neural network
Central Analysis Engine
To determine the source of an attack.
To determine the type of attack being currently perpetrated by
the attacker.
To take into account all information gathered from various
sources and to determine an overall intrusion probability.
Finally the engine uses the overall intrusion probability value
along with the type of and source of the intrusion attack to
perform a response to the intruder’s actions.
Related works (cont’d).. Analysis of the design
Fuzzy Engine
5/8/70% risk
Central Analysis Engine
6/9/75% risk
Neural Engine
7/10/80% risk
Figure 8: Risk analysis
Related works (cont’d).. Analysis of the design
Method of Testing
Tested by fully functional prototype call Sentinel IDS
Test Bed
Tools
Airodump, Aireplay, Aircrack, Super-Scan and Brutus
Misuse test by Fuzzy Engine
Microsoft Windows OS
98% accurate
Anomaly test by Neural Engine
97% accurate
Our observations
Data Collection, Management and Analysis for IDS…
Cumbersome and unwieldy to manage 2 or maybe more
networks.
Need to backup management station
String matching architecture
Applicable to general search problems on general state
machines
Possible to improvement throughput
By reading in more than one byte
Possible to extend the number of next states
By reading in more than one byte
Need to multiply throughput with reasonable increase in
storage size.
Our observations (cont’d)
Intrusion detection with fuzzy logic and neural
network
Needs rigorous test
Potential bugs and vulnerabilities might weaken the
WLAN security
Cost of the wireless IDS solution may grow with the size
of the WLAN
Our observations (cont’d)…New Architecture
Database
High Throughput
String Matching Rule
based Architecture
Central Analysis Engine
5/8/70% risk
Fuzzy Engine
6/9/75% risk
7/10/80% risk
Neural Engine
Sticky GUM Architecture
for Data Collection
Access Point Logs
Figure 9: Modified architecture for Intrusion Detection System
Conclusion
Observed steps
Investigation of new approach to data collection,
management and analysis for IDS using Gumstix
Investigation of high throughput string matching
architecture for IDS
Utilization of fuzzy logic and neural network for IDS
using the model NeGPAIM-W2
Our proposed idea
Efficient and Effective Architecture for Intrusion
Detection System
Acknowledgement
We would like to thank our professor for his great support and
giving us the opportunity to learn about network security
We would like to thank our audience for listening our
presentation
References
[1] E. Derrick, R. Tibbs, L. Reynolds. Investigating new approaches to data collection,
management and analysis for network intrusion detection. In Proc. of the 45th
annual southeast regional conference ACM-SE 45, Pages: 283 - 287, Publisher:
ACM Press, 2007.
[2] L. Tan, T. Sherwood. A high throughput string matching architecture for intrusion
detection and prevention, In Proc. of the 32nd International Symposium on
Computer Architecture, Vol. 33, Isuue 2, Pages: 112-122, Publisher: IEEE
Computer Society, 2005.
[3] R. Goss, M. Botha, R. Solms. Utilizing fuzzy logic and neural networks for
effective, preventative intrusion detection in a wireless environment. In Proc of the
2007 annual research conference of the South African institute of computer
scientists and information technologists on IT research in developing countries
SAICSIT '07, Vol. 26, Pages: 29 - 35, Publisher: ACM Press, 2007.
[4] Gumstix, Inc. Gumstix – Way small computing. Accessed at
http://gumstix.com/index.html.
[5] S. A. Crosby and D. S. Wallach. Denial of service via algorithmic complexity
attacks. In Proc. of USENIX Annual Technical Conference, June 2003.
[6] http://portal.acm.org/citation.cfm?id=1292491.1292495.
The End
Questions ?