towards software based signature detection for intrusion prevention on the network card
Download
Skip this Video
Download Presentation
Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

Loading in 2 Seconds...

play fullscreen
1 / 24

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. Speaker: Ming-Yuan Hsu. Outline. Information Introduction Aho-Corasick Architecture Evaluation Conclusion. Information. Authors H. Bos Vrije Universiteit, Amsterdam, The Netherlands

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card' - niles


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
towards software based signature detection for intrusion prevention on the network card

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

Speaker: Ming-Yuan Hsu

outline
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

information
Information
  • Authors
  • Symposium
    • A. Valdes and D. Zamboni (Eds.): RAID 2005, LNCS 3858, pp. 102–123, 2006.

ⒸSpringer-Verlag Berlin Heidelberg 2006

WNS.Lab.Meeting

outline1
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

introduction 1
Introduction (1)
  • Signature detection system (SDS) in software on the network card.
    • Distributed firewall
      • Do not implement payload inspection at all.
    • FPGAs
      • Complex to modify.
  • CardGuard is intended to protect
    • Single end-user’s host
    • Small set of host connected to a switch

WNS.Lab.Meeting

introduction 2
Introduction (2)
  • Author’s goal has been to make the SDS
    • An inexpensive device
    • Competitive with large firewalls.
    • Fast enough to handle realistic loads.

WNS.Lab.Meeting

distributing the firewall
Distributing the firewall
  • Most current approaches to IDS/IPS
    • High-performance firewall/IDS at the edge.
    • All internal nodes are assumed to be safe.
    • All external nodes are considered suspect.

WNS.Lab.Meeting

slide8
Drawbacks (compared to a distributed firewall)
    • Doesn’t protect internal nodes
      • Attacks originate within the intranet.
    • Represent the intranet’s link to the outside world.
      • The traffic is vary large
        • Payload scans difficult/ infeasible
      • Attacker can send a large number harmless packets.
    • Protect a heterogeneous collection of machines.
    • Close all ports except a select few.
      • It’s inconvenience to users.
      • Configuration is more complex.

WNS.Lab.Meeting

the ixp1200 network processor
The IXP1200 Network Processor
  • CardGuard implemented
    • Implemented on an IXP1200 network processor unit.
    • Employ the Aho-Corasick algorithm

WNS.Lab.Meeting

outline2
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

aho corasick
Aho-Corasick
  • A string match algorithm.
  • Make the dictionary to finite state machine.
  • A simple example
    • The dictionary include “aba, abcd”

WNS.Lab.Meeting

slide12
Inline
  • In-memory
    • Store DFAs in Aho-Corasick is a trie

WNS.Lab.Meeting

slide13
The input “bababcdab”
  • Aho-Corasick return
    • aba X 1
    • abcd X 1

WNS.Lab.Meeting

aho corasick example
Aho-Corasick Example

a deterministic finite automaton (DFA)

for the Slammer worm

identifies 5 different patterns

WNS.Lab.Meeting

slide15
The signatures of Slammerworm are
    • h.dllhel32hkernQhounthickChGetTf
    • hws2
    • Qhsockf
    • toQhsend
    • Qhsoc
  • Aho-Corasick could found signatures at:
    • State 32、35、40、42、50

WNS.Lab.Meeting

outline3
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

slide17
CardGuard is implement on a Intel IXP1200 NPU board.
    • Contains 2 Gigabit ports.
      • Packet reception/transmission
    • Newer version is IXP2800
      • Its efficiency is better than IXP1200.

WNS.Lab.Meeting

slide18
The ports are used for all data between hosts and the NPU.
  • CardGuard is designed as a plug-and-play IDS.
    • To protect a set of hosts connected to a switch.
  • No reconfiguration of the end-systems is encessary.

WNS.Lab.Meeting

outline4
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

evaluation
Evaluation
  • This is a typical result in Aho-Corasick.
  • The times of the different level are visited.

WNS.Lab.Meeting

slide21
First experiment
    • Use tcpreplay(max rate : about 50Mbps)
  • Second experiment
    • Examine the number of cycles.
      • Packets of various size
      • Ten state transitions in the DFA.
    • Single thread could process 52.5Mbps for maximum-sized non-TCP packets.

WNS.Lab.Meeting

slide22
Final experiment (A stress-test )
    • Packets sent by iperf.
    • Evaluate the throughput under worst cast.
      • The payload needs to be checked from start to finish.
      • It’s not a realistic scenario.
      • Send packet is checked in its entirely.

WNS.Lab.Meeting

outline5
Outline
  • Information
  • Introduction
  • Aho-Corasick
  • Architecture
  • Evaluation
  • Conclusion

WNS.Lab.Meeting

conclusion
Conclusion
  • The hardware used in CardGuard is rather old.
    • The principles remain valid for newer hardware.
  • CardGuard represent a first step.
    • Intrusion detection on a NIC in software

WNS.Lab.Meeting

ad