1 / 59

Towards High Speed Network Defense

Towards High Speed Network Defense. Zhichun Li EECS Deparment Northwestern University. Agenda. Briefly introduce my thesis work Dive in high performance vulnerability signature matching Future research directions. Motivation. Attackers. Botnets. Professional attackers exploit

daxia
Download Presentation

Towards High Speed Network Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards High Speed Network Defense Zhichun Li EECS Deparment Northwestern University

  2. Agenda • Briefly introduce my thesis work • Dive in high performance vulnerability signature matching • Future research directions

  3. Motivation Attackers Botnets Professional attackers exploit the enterprise networks for profit $$$ Worms

  4. Network Level Defense • Network gateways/routers are the vantage points for detecting large scale attacks • Only host based detection/prevention is not enough for modern enterprise networks • Some users do not apply the host-based schemes due to the reliability, overhead, and conflicts. • Many users do not update or patch their system on time. • Enterprises cannot only reply on their end users for security protection

  5. Challenges • Scalable to high speed networks with a large number of users • Need to be highly accurate • Adapt fast to the emerging threats • Have good attack coverage.

  6. Network-based Intrusion Detection, Prevention, and Forensics System Scalability • Framework (I) Sketch based monitoring & detection Accuracy & Scalability & Coverage Accuracy & adapt fast (III) Signature matching engines (II) Polymorphic worm signature generation Packet streams Honynet honeyfarms (IV) Network Situational Awareness Accuracy & adapt fast

  7. Network-based Intrusion Detection, Prevention, and Forensics System (I) Online traffic monitoring and recording [INFOCOM 2006, ToN 2007] (cited by 30+) Reversible sketch for data streaming computation Record millions of flows (GB traffic) in a few hundred KB Small # of memory access per packet Scalable to large key space size (232 or 264) Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 2006] Detect TCP SYN flooding, horizontal and vertical scans even when mixed h1(k) … 0 1 K-1 1 … hj(k) j hH(k) … H 7

  8. Network-based Intrusion Detection, Prevention, and Forensics System (II) Polymorphic worm signature generation Token based Signature [IEEE Symposium on Security and Privacy 2006] (cited by 40+, code requested by Columbia U. UT Austin, Purdue, Georgia Tech, UC Davis, etc) Network based Vulnerability Signature [IEEE ICNP 2007] [ NSF Cyber Trust Award] 1010101 10111101 11111100 00010111 Network gateway Internet Our network 8

  9. Network-based Intrusion Detection, Prevention, and Forensics System (III) NetShield Vulnerability Signature based NIDS/NIPS [under submission] [NSF Cyber Trust Award] (interested by Cisco and Juniper) Focus of this talk, details come later 9

  10. Network-based Intrusion Detection, Prevention, and Forensics System (IV) Large-scale botnet and P2P misconfiguration event situational-aware forensics Botnet attack target/strategy inference [ASIACCS09] Root cause analysis of the P2P misconfiguration/poisoning traffic [under submission] 10

  11. NetShied: Matching a Large vulnerability Signature Ruleset for High Performance Network Defense

  12. Signature DB NetShield Overview NIDS/NIPS (Network Intrusion Detection/Prevention System) operation NIDS/NIPS Packets Accuracy Speed Attack Coverage Security alerts

  13. State of the art Regular expression (regex) based approaches Pros • Can efficiently match multiple sigs simultaneously, through DFA • Can describe the syntactic context Example: .*Abc.*\x90+de[^\r\n]{30} Cons • Limited expressive power • Cannot describe the semantic context • Inaccurate

  14. State of the art Vulnerability Signature [Wang et al. 04] Example: BIND: rpc_vers==5 && rpc_vers_minor==1 && packed_drep==\x10\x00\x00\x00 && context[0].abstract_syntax.uuid=UUID_RemoteActivation BIND-ACK: rpc_vers==5 && rpc_vers_minor==1 CALL: rpc_vers==5 && rpc_vers_minors==1 && packed_drep==\x10\x00\x00\x00 && stub.RemoteActivationBody.actual_length>=40 && matchRE( stub.buffer, /^\x5c\x00\x5c\x00/) Pros • Directly describe semantic context • Very expressive, can express the vulnerability condition exactly • Accurate Cons • Slow! • Existing approaches all use sequential matching • Require protocol parsing

  15. Motivation of NetShield 15

  16. Motivation Desired Features for Signature-based NIDS/NIPS Accuracy (especially for IPS) Speed Coverage: Large ruleset Focus of this work Cannot capture vulnerability condition well! Shield [sigcomm’04] 16

  17. Research Challenges Background Use protocol semantics to express the vulnerability Defined on a sequence of PDUs & one predicate for each PDU Example: ver==1 && method==“put” && len(buf)>300 Challenges Matching thousands of vulnerability signatures simultaneously Sequential matching match multiple sigs simultaneously High speed parsing 17

  18. Outline Motivation High Speed Matching for Large Rulesets. High Speed Parsing Evaluation Research Contributions 18

  19. A Vulnerability Signature Example Data representations For all the vulnerability signatures we studied, we only need numbers and strings number operators: ==, >, <, >=, <= String operators: ==, match_re(.,.), len(.). Example signature for Blaster worm Example: BIND: rpc_vers==5 && rpc_vers_minor==1 && packed_drep==\x10\x00\x00\x00 && context[0].abstract_syntax.uuid=UUID_RemoteActivation BIND-ACK: rpc_vers==5 && rpc_vers_minor==1 CALL: rpc_vers==5 && rpc_vers_minors==1 && packed_drep==\x10\x00\x00\x00 && stub.RemoteActivationBody.actual_length>=40 && matchRE( stub.buffer, /^\x5c\x00\x5c\x00/) 19

  20. Matching Problem Formulation Consider single PDU matching first Suppose we have n signatures, defined on k matching dimensions (matchers) A matcher is a two-tuple (field, operation) or a four-tuple for the associative array elements. Translate the n signatures to a n by k table. Rule 6: URI.Filename=“fp40reg.dll” && len(Headers[“host”])>300 20

  21. Matching Problem Formulation Challenges for Single PDU matching problem (SPM) Large number of signatures n Large number of matchers k Large number of “don’t cares” Cannot reorder matchers arbitrarily -- buffering constraint Field dependency Arrays, associative arrays Mutually exclusive fields. 21

  22. Matching Algorithms Candidate Selection Algorithm Pre-computation decides the rule order and matcher order Divide-and-conquer comparison w/ matchers and iteratively combine the results efficiently 22

  23. Step 1: Pre-Computation Matcher reoder: Put the non-selective matchers later based on buffering constraint & field arrival order Rule reorder: 23

  24. Step 2: Iterative Matching 24

  25. Candidate merge operation Don’t care matcher i+1 Si require matcher i+1 In Ai+1 25

  26. Refinement and Extension SPM improvement Allow negative conditions Handle array case Handle associate array case Handle mutual exclusive case Report the matched rules as early as possible Extend to Multiple PDU Matching (MPM) Allow checkpoints. 26

  27. Outline Motivation High Speed Matching for Large Rulesets. High Speed Parsing Evaluation Research Contribution 27

  28. Observations PDU array PDU  parse tree Leaf nodes are integers or strings Vulnerability signatures mostly based on leaf nodes Observation 1: Only need to parse the fields related to signatures. Observation 2: Traditional recursive descent parsers which need one function call per node are too expensive. 28

  29. Efficient Parsing with State Machines Studied eight protocols: HTTP, FTP, SMTP, eMule, BitTorrent, WINRPC, SNMP and DNS as well as their vulnerability signatures. Pre-construct parsing state machines based on parse trees and vulnerability signatures. Common relationship among leaf nodes. 29

  30. Example for WINRPC Rectangles are states Parsing variables: R0 .. R4 0.61 instruction/byte for BIND PDU 30

  31. Outline Motivation High Speed Matching for Large Rulesets. High Speed Parsing Evaluation Research Contributions 31

  32. Evaluation Methodology Fully implemented prototype • 11,704 lines of C++ and 2,706 lines of Python • Can run on both Linux and Windows Deployed at a university DC with up to 106Mbps 26GB+ Traces from Tsinghua Univ. (TH), Northwestern (NU) and DARPA Run on a P4 3.8Ghz single core PC w/ 4GB memory. After TCP reassembly and preload the PDUs in memory For HTTP we have 794 vulnerability signatures which covers 973 Snort rules. For WINRPC we have 45 vulnerability signatures which covers 3,519 Snort rules 32

  33. Parsing Results 33

  34. Matching Results 34

  35. Other Results Rule scaling results Compare with Regex • Memory for 973 Snort rules: DFA 5.29GB (XFA 863 rules1.08MB), NetShield 2.3MB • Per flow memory: XFA 36 bytes, NetShield 20 bytes. • Throughput: XFA 756Mbps, NetShield 1.9+Gbps *XFA [SIGCOMM08][Oakland08] Performanc Decrease gracefully

  36. Research Contributions Demonstrate vulnerability signatures can be applied to NIDS/NIPS, which can significantly improve the accuracy of current NIDS/NIPS Propose the candidate selection algorithm for matching a large number of vulnerability signatures efficiently Propose parsing state machine for fast protocol parsing Implement the NetShield 36

  37. Future work • Working in process • In collaboration with MSR. Apply the semantic rich analysis for cloud Web service profiling. To understand why slow and how to improve. • Future work • Web security (browser security, web server security) • Data Center security • High Speed Network Intrusion Prevention System with Hardware Support

  38. Long Term Research Challenges • Combat the professional profit-driven attackers. • Online applications (including Web 2.0 applications) become more complex and vulnerable. • Network speed keeps increasing, which demands highly scalable approaches.

  39. Q & A Thanks!

  40. Backup Slides

  41. Measure Snort Rules Semi-manually classify the rules. Group by CVE-ID Manually look at each vulnerability Results 86.7% of rules can be improved by protocol semantic vulnerability signatures. Most of remaining rules (9.9%) are web DHTML and scripts related which are not suitable for signature based approach. On average 4.5 Snort rules are reduced to one vulnerability signature. For binary protocol the reduction ratio is much higher than that of text based ones. For netbios.rules the ratio is 67.6. 41

  42. Motivation • Network security has been recognized as the single most important attribute of their networks, according to survey to 395 senior executives conducted by AT&T • Many new emerging threats make the situation even worse

  43. System Framework Scalability Scalability Scalability Scalability Accuracy & Scalability & Coverage Accuracy & Scalability & Coverage Accuracy & Scalability & Coverage Accuracy & Scalability & Coverage Accuracy & adapt fast Accuracy & adapt fast Accuracy & adapt fast Accuracy & adapt fast Accuracy & adapt fast

  44. Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade Overflow! Protocol message Vulnerable buffer

  45. Old Slides

  46. Conclusions A novel network-based vulnerability signature matching engine Through measurement study on Snort ruleset, prove the vulnerability signature can improve most of the signatures in NIDS/IPS. Proposed parsing state machine for fast parsing Propose a candidate selection algorithm for matching a large number of vulnerability signature simultaneously 46

  47. Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

  48. Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

  49. Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for a large number of vulnerability Signatures. Evaluation Conclusions

  50. Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

More Related