Towards software based signature detection for intrusion prevention on the network card
Download
1 / 24

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. Speaker: Ming-Yuan Hsu. Outline. Information Introduction Aho-Corasick Architecture Evaluation Conclusion. Information. Authors H. Bos Vrije Universiteit, Amsterdam, The Netherlands

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card' - niles


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Towards software based signature detection for intrusion prevention on the network card

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

Speaker: Ming-Yuan Hsu


Outline
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Information
Information Prevention on the Network Card

  • Authors

  • Symposium

    • A. Valdes and D. Zamboni (Eds.): RAID 2005, LNCS 3858, pp. 102–123, 2006.

      ⒸSpringer-Verlag Berlin Heidelberg 2006

WNS.Lab.Meeting


Outline1
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Introduction 1
Introduction (1) Prevention on the Network Card

  • Signature detection system (SDS) in software on the network card.

    • Distributed firewall

      • Do not implement payload inspection at all.

    • FPGAs

      • Complex to modify.

  • CardGuard is intended to protect

    • Single end-user’s host

    • Small set of host connected to a switch

WNS.Lab.Meeting


Introduction 2
Introduction (2) Prevention on the Network Card

  • Author’s goal has been to make the SDS

    • An inexpensive device

    • Competitive with large firewalls.

    • Fast enough to handle realistic loads.

WNS.Lab.Meeting


Distributing the firewall
Distributing the firewall Prevention on the Network Card

  • Most current approaches to IDS/IPS

    • High-performance firewall/IDS at the edge.

    • All internal nodes are assumed to be safe.

    • All external nodes are considered suspect.

WNS.Lab.Meeting


  • Drawbacks (compared to a distributed firewall) Prevention on the Network Card

    • Doesn’t protect internal nodes

      • Attacks originate within the intranet.

    • Represent the intranet’s link to the outside world.

      • The traffic is vary large

        • Payload scans difficult/ infeasible

      • Attacker can send a large number harmless packets.

    • Protect a heterogeneous collection of machines.

    • Close all ports except a select few.

      • It’s inconvenience to users.

      • Configuration is more complex.

WNS.Lab.Meeting


The ixp1200 network processor
The IXP1200 Network Processor Prevention on the Network Card

  • CardGuard implemented

    • Implemented on an IXP1200 network processor unit.

    • Employ the Aho-Corasick algorithm

WNS.Lab.Meeting


Outline2
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Aho corasick
Aho-Corasick Prevention on the Network Card

  • A string match algorithm.

  • Make the dictionary to finite state machine.

  • A simple example

    • The dictionary include “aba, abcd”

WNS.Lab.Meeting


  • Inline Prevention on the Network Card

  • In-memory

    • Store DFAs in Aho-Corasick is a trie

WNS.Lab.Meeting


WNS.Lab.Meeting


Aho corasick example
Aho Prevention on the Network Card-Corasick Example

a deterministic finite automaton (DFA)

for the Slammer worm

identifies 5 different patterns

WNS.Lab.Meeting


  • The signatures of Prevention on the Network CardSlammerworm are

    • h.dllhel32hkernQhounthickChGetTf

    • hws2

    • Qhsockf

    • toQhsend

    • Qhsoc

  • Aho-Corasick could found signatures at:

    • State 32、35、40、42、50

WNS.Lab.Meeting


Outline3
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


  • CardGuard Prevention on the Network Card is implement on a Intel IXP1200 NPU board.

    • Contains 2 Gigabit ports.

      • Packet reception/transmission

    • Newer version is IXP2800

      • Its efficiency is better than IXP1200.

WNS.Lab.Meeting


WNS.Lab.Meeting


Outline4
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Evaluation
Evaluation Prevention on the Network Card

  • This is a typical result in Aho-Corasick.

  • The times of the different level are visited.

WNS.Lab.Meeting


  • First experiment Prevention on the Network Card

    • Use tcpreplay(max rate : about 50Mbps)

  • Second experiment

    • Examine the number of cycles.

      • Packets of various size

      • Ten state transitions in the DFA.

    • Single thread could process 52.5Mbps for maximum-sized non-TCP packets.

WNS.Lab.Meeting


  • Final experiment (A stress-test ) Prevention on the Network Card

    • Packets sent by iperf.

    • Evaluate the throughput under worst cast.

      • The payload needs to be checked from start to finish.

      • It’s not a realistic scenario.

      • Send packet is checked in its entirely.

WNS.Lab.Meeting


Outline5
Outline Prevention on the Network Card

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Conclusion
Conclusion Prevention on the Network Card

  • The hardware used in CardGuard is rather old.

    • The principles remain valid for newer hardware.

  • CardGuard represent a first step.

    • Intrusion detection on a NIC in software

WNS.Lab.Meeting


ad