1 / 11

Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links

Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links. Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute

torn
Download Presentation

Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design and Implementation of Security Gateway Systemfor Intrusion Detection on High-speed Links Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute 161 Gajeong-Dong, Yuseong-Gu, Daejeon, 305-350, KOREATel: +82-42-860-4888, Fax: +82-42-860-5611E-mail: {kbg63228, ikkim21, ljk63466, kykim, jsjang}@etri.re.kr

  2. Introduction • Overview of NSCS Environment CPCS CPCS CPCS SGS SGS SGS SGS SGS • CPCS : Cyber Patrol Control System • SGS : Security Gateway System

  3. HAB(High-Analyzer Block) SMB(System Management Block) Viewer AMB(Alert Management Block) PMB(Policy Management Block) COPS/IAP Server(Interface Block) CPCS COPS/IAP Client(Interface Block) CPAB(Cyber Patrol Agent Block) Inline Mode Operation IDAB(Intrusion Detection and Analyzing Block) PSAB(Packet Sensing and Analyzing Block) SGS Architecture of NSCS

  4. Data Structure for Rule Rule Mirror Table Detailed SGS Architecture Local GUI SNMP Agent Response Manager Database Manager Local Alert Manager System Manager Local Policy Manager COPS / IAP Client Filesystem /Database Application Task IOCTL I/F Socket I/F Payload Pattern Matching Rule Manager IP defragmentation TCP reassembly Application decode Portscan detection Preprocessor IDAB : Kernel Module PCI Bus Preprocessor Filter Fixed Field Pattern Matching Flow Statistics Blocking Sensing Forwarding PSAB : FPGA Logic

  5. Detection Rule Configuration TCP Group UDP Group ICMP Group IP Group Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Detection related Fields 1:N matching Alert related Fields H/W Logic Rule Mirror Table Kernel Logic Rule Table

  6. H/W Rule Table

  7. Detection Algorithm – H/W Kernel Preprocessing necessary? PP Flag=1 YES KERNEL LOGIC PP Filter Check NO PP Flag=0 PCI Bus Packet Monitor PP Flag= 1 Or FF Flag= 1 Packet Send NO YES FF Flag=0 FF Pattern Search NO FF Pattern Matching? FF Flag=1 YES • PP : Preprocessor • FF : Fixed Field

  8. Detection Algorithm – Kernel Detection Algorithm PCI Bus Packet Decode Pre process PP Flag = 1 YES NO FPGA LOGIC Preprocessor Detection? FF Flag = 1 NO YES/NO YES YES Socket Interface Alert Send Payload Pattern Search NO CPAB Payload Pattern Matching? YES

  9. SGS Prototype for NSCS • FPGA Logic(H/W) Functions • Wire-Speed Forwarding • 5-Tuple based Flow Classification • Statistics/Blocking/Sensing/Fixed Field Pattern Matching • Kernel Logic Functions • Linux kernel-2.4.2 based Kernel Module Programming • Payload Pattern Matching/Alert Generation

  10. Conclusion & Future Work • Present the architecture of NSCS • Design the SGS of NSCS • Design the architecture of SGS • Design the ruleset configuration of SGS • Design the FPGA logic and kernel logic of SGS • Develop the prototype of SGS • Future Work • Improve the detection mechanism on high-speed links • Guarantee the secure transmission of messages among the prototype systems • Resolve the problem derived from the verification of implemented system

More Related