Towards software based signature detection for intrusion prevention on the network card
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card PowerPoint PPT Presentation


  • 38 Views
  • Uploaded on
  • Presentation posted in: General

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. Speaker: Ming-Yuan Hsu. Outline. Information Introduction Aho-Corasick Architecture Evaluation Conclusion. Information. Authors H. Bos Vrije Universiteit, Amsterdam, The Netherlands

Download Presentation

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Towards software based signature detection for intrusion prevention on the network card

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

Speaker: Ming-Yuan Hsu


Outline

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Information

Information

  • Authors

    • H. Bos

      • Vrije Universiteit, Amsterdam, The Netherlands

      • [email protected]

    • Kaiming Huang

      • Xiamen University, Xiamen, China

      • [email protected]

  • Symposium

    • A. Valdes and D. Zamboni (Eds.): RAID 2005, LNCS 3858, pp. 102–123, 2006.

      ⒸSpringer-Verlag Berlin Heidelberg 2006

WNS.Lab.Meeting


Outline1

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Introduction 1

Introduction (1)

  • Signature detection system (SDS) in software on the network card.

    • Distributed firewall

      • Do not implement payload inspection at all.

    • FPGAs

      • Complex to modify.

  • CardGuard is intended to protect

    • Single end-user’s host

    • Small set of host connected to a switch

WNS.Lab.Meeting


Introduction 2

Introduction (2)

  • Author’s goal has been to make the SDS

    • An inexpensive device

    • Competitive with large firewalls.

    • Fast enough to handle realistic loads.

WNS.Lab.Meeting


Distributing the firewall

Distributing the firewall

  • Most current approaches to IDS/IPS

    • High-performance firewall/IDS at the edge.

    • All internal nodes are assumed to be safe.

    • All external nodes are considered suspect.

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • Drawbacks (compared to a distributed firewall)

    • Doesn’t protect internal nodes

      • Attacks originate within the intranet.

    • Represent the intranet’s link to the outside world.

      • The traffic is vary large

        • Payload scans difficult/ infeasible

      • Attacker can send a large number harmless packets.

    • Protect a heterogeneous collection of machines.

    • Close all ports except a select few.

      • It’s inconvenience to users.

      • Configuration is more complex.

WNS.Lab.Meeting


The ixp1200 network processor

The IXP1200 Network Processor

  • CardGuard implemented

    • Implemented on an IXP1200 network processor unit.

    • Employ the Aho-Corasick algorithm

WNS.Lab.Meeting


Outline2

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Aho corasick

Aho-Corasick

  • A string match algorithm.

  • Make the dictionary to finite state machine.

  • A simple example

    • The dictionary include “aba, abcd”

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • Inline

  • In-memory

    • Store DFAs in Aho-Corasick is a trie

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • The input “bababcdab”

  • Aho-Corasick return

    • aba X 1

    • abcd X 1

WNS.Lab.Meeting


Aho corasick example

Aho-Corasick Example

a deterministic finite automaton (DFA)

for the Slammer worm

identifies 5 different patterns

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • The signatures of Slammerworm are

    • h.dllhel32hkernQhounthickChGetTf

    • hws2

    • Qhsockf

    • toQhsend

    • Qhsoc

  • Aho-Corasick could found signatures at:

    • State 32、35、40、42、50

WNS.Lab.Meeting


Outline3

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • CardGuard is implement on a Intel IXP1200 NPU board.

    • Contains 2 Gigabit ports.

      • Packet reception/transmission

    • Newer version is IXP2800

      • Its efficiency is better than IXP1200.

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • The ports are used for all data between hosts and the NPU.

  • CardGuard is designed as a plug-and-play IDS.

    • To protect a set of hosts connected to a switch.

  • No reconfiguration of the end-systems is encessary.

WNS.Lab.Meeting


Outline4

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Evaluation

Evaluation

  • This is a typical result in Aho-Corasick.

  • The times of the different level are visited.

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • First experiment

    • Use tcpreplay(max rate : about 50Mbps)

  • Second experiment

    • Examine the number of cycles.

      • Packets of various size

      • Ten state transitions in the DFA.

    • Single thread could process 52.5Mbps for maximum-sized non-TCP packets.

WNS.Lab.Meeting


Towards software based signature detection for intrusion prevention on the network card

  • Final experiment (A stress-test )

    • Packets sent by iperf.

    • Evaluate the throughput under worst cast.

      • The payload needs to be checked from start to finish.

      • It’s not a realistic scenario.

      • Send packet is checked in its entirely.

WNS.Lab.Meeting


Outline5

Outline

  • Information

  • Introduction

  • Aho-Corasick

  • Architecture

  • Evaluation

  • Conclusion

WNS.Lab.Meeting


Conclusion

Conclusion

  • The hardware used in CardGuard is rather old.

    • The principles remain valid for newer hardware.

  • CardGuard represent a first step.

    • Intrusion detection on a NIC in software

WNS.Lab.Meeting


  • Login