Building Robust flexible Scalable Distributed Intrusion Detection Systems

Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes) Hao Che Department of Computer Science and Engineering University of Texas at Arlington CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 1

Outline • • Motivations Proposed Solution Thoughts on attack identification Research goal CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 2

Motivations • Intrusion detection systems (IDSes) must be distributed in dealing with distributed attacks • There are various types of DIDSes being built including: • Host-based versus network-based • • Host-based DIDS Network-based DIDS Hybrid DIDS Centralized versus distributed • • • DIDS with centralized control DIDS with distributed control Both may be hierarchical or flat CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 3

Motivations • A DIDS should be • • Robust: able to cope with partial failures of the DIDS through, e. g. , dynamic resource sharing and dynamic load balancing Flexible: able to allow, e. g. , fast run-time software upgrade and rule table update, and flow tracking at various granularities Scalable: able to keep up with multigigabit line rates and scale to large sized network In general, the existing DIDSes cannot meet all the above requirements simultaneously: • • • Most DIDSes do not address robustness issue Software based IDSes cannot keep up with gigabit line rates Hardware based solutions are lack of flexibility CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 4

A Proposed Solution • Network level: building a Secured DIDS Overlay using multipath for: both link and node resource optimization • fast failure recovery • Point-to-multipoint (multipoint-point) multipath Network-based IDS Point-to-point multipath Host-based IDS CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 5

A Proposed Solution Node level: a hybrid solution for network-based IDS design: • • Separation of string matching into header matching and payload string matching Stateful and stateless header matching and load balancing are handled by a fully run-time programmable network processor at multigigabit rate Payload string matching is performed by a set of traditional sensors at lower rates A network-based IDS may operate in one of the two modes: stealthy mode or inline mode CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 6

A Proposed Solution • Stealthy Mode: for intrusion detection only To Remote Sensors MEM Traffic Manager CPU • Network Processor Framer TCAM Coprocessor IDS Console Ser. Des Line Card Local Sensors tap Network Monitored Inline Mode: for both intrusion detection and prevention To Remote Sensors MEM Traffic Manager CPU Network Processor IDS Console Framer TCAM Coprocessor Ser. Des Local Sensors Line Card Network Monitored 1 st CSIIR and IOC Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 7

A Proposed Solution Intel IXP 2800 Multigigabit Network Processor: • Micro-engines (MEs) can be configured to work in pipeline and/or parallel • Each ME runs its own micro-code and the micro-code can be swapped at run-time • XScale Core maintains flow state and any other control plane functions CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 8

A Proposed Solution A Four-Stage Configuration: • 1 st stage: one ME distributes packets evenly to the MEs in the 2 nd stage • 2 nd stage: a set of MEs performs stateful flow classification and load balancing • 3 rd stage: a set of MEs reorder the out-of-order packets received from the 2 nd stage • 4 th stage: outgoing packets are scheduled based on their Qo. S requirements load balancer sequencer scheduler dispatcher CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 9

A Proposed Solution Summary of the proposed solution: • • • It enhances the robustness, flexibility, and scalability of the existing DIDSes In the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion prevention The run-time programmability of the proposed IDS is an important capability which can be further exploited to build intelligent DIDS CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 10

Thoughts on Attack Identification Two key components in a DIDS: • Attack identification • Alert correlation Two candidate techniques: • Robust identification • Frequency domain analysis CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 11

Thoughts on Attack Identification • A state-of-the-art robust identification technique developed by experts in Control Area • Problem Statement: • Given: • • • a model of the plant under normal conditions Go(λ, ∆o) failure dynamics Gi(λ, ∆i) a bound δ on the measurement noise Uncertainty sets ∆i N input/output experiment measurements • • Determine: 1. Whether a fault has occurred 2. In that case, isolate it and determine its strength Can be used for both anomaly and misuse detections CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 12

Thoughts on Attack Identification • An immature thought on alert correlation • Frequency domain analysis may play an important role because: • • Power spectrum captures the relative strength of the correlated signals at different frequencies or timescales It is a mature research field and various tools are ready available CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 13

Research Goal • Research goal by the end of this summer: a detailed architecture of the proposed research with one of two possible outcomes: 1. A DIDS architecture with the proposed solution integrated with a new anomaly and misuse detection mechanism 2. A DIDS architecture that integrates the proposed solution with an existing DIDS • The outcome will serve two purposes: 1. A proposal for funding opportunities 2. The basis for the development of such a DIDS CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 14

Thanks!!! CSIIR and IOC 1 st Annual Workshop – March 14 -15, 2005 Oak Ridge National Lab. Hao Che/University of Texas at Arlington 15