Efficient and Effective Architecture for Intrusion
Detection System
Prepared by
Ashif Adnan, Omair Alam, Akhtaruzzaman
School of Computer ScienceUniversity of Windsor
ON, Canada
Outline Introduction Motivation Goal Related works Our observations Conclusion Acknowledgment References
Introduction Ubiquitous computing environment
Intrusion Detection Systems Misuse based Anomaly based
Intrusion determination False positive False negative
Intrusion detection rules
Proactive intrusion detection
Motivation Tremendous growth of network
More availability of information Need for information security
Growing importance of IDS
Lack of efficiency in data collection
Inefficiency and inaccuracy in analyzing attacks
Complexity in rules checking
Goal Effective,
Efficient and
Secured Intrusion Detection System
Related works New Approaches to Data Collection, Management and
Analysis for IDS
Basic concept used was SMASH SMASH – A Secure Monitoring System for Information Assurance, Analysis
and survivability of Network Hazards. Basic need for implementing SMASH was Network Security. The analysis will help reduce false positives and false negative
determinations of intrusions
Related works (cont’d)…Data Collection, Management and Analysis
Requirements for implementing SMASH sensors Low cost No extreme bandwidth requirements Flexible Scalable
Wireless networks fulfills all of these requirements
Additional advantage that sensors can be moved without disruption of the operational network
Related works (cont’d)…Data Collection, Management and Analysis
Features of Gumstix used It is a miniature computer which comes preloaded with
Linux operating system. A 400 MHz processor NetCf stick, which combines a 100Mbps Ethernet
interface with a compact flash card adapter A compact flash wireless card
It measures only 4” long by ¾” wide and ½” thick.
The motherboards measure 80 mm x 20 mm x 6.3 mm.
Related works (cont’d)…Data Collection, Management and Analysis
Figure 1: Gumstix Computers
Figure 2: Gumstix Motherboard
Graphic Reference: http://www.gumstix.com/
Related works (cont’d)…Data Collection, Management and Analysis
Collecting Data using Gumstix
Setting up the network Sensor(Gumstix) as the sniffer A central management system Network monitoring software such as Tcpdump IDS application such as Snort Java application using socket programming
Related works (cont’d)…Data Collection, Management and Analysis
Figure 3: Gumstix Network Setup
Related works (cont’d)…Data Collection, Management and Analysis
Managing Data over Wireless Key issue- Communication with the controlling workstation If the sensor undergoes DDOS attack, then its ability to send
the data back to the controller may have become compromised.
So the best solution is to make the sensor communicate with the management station on a dedicated, isolated network.
But an additional wired network becomes unmanageable, so a wireless network is used.
Related works (cont’d)…Analysis of the design
Analyzing data with Data Fusion and Data Mining Techniques Data Fusion, is generally defined as the use of techniques that
combine data from multiple sources and gather that information in order to achieve inferences, which will be more efficient than if they were achieved by means of a single source.
Data Mining is the principle of sorting through large amounts of data and picking out relevant information.
The combination of data fusion and data mining techniques has the greatest potential to solve a major drawback of IDS: the unacceptable numbers of false positives and false negatives.
Related works…cont’d High throughput string matching architecture for IDS/IPS
IDS/IPS requirements
Worst Case Performance
Non-Interrupting Rule Update
High Throughput per Area
Related works (cont’d)…String matching architecture
String Matching Engine
String is broken down into a set of small state machine
Hierarchical architecture
Highest level is the full device
Each device holds the entire set of strings Reads character in every cycle Computes the set of matches and reports
Devices can be replicated
Related works (cont’d)…String matching architecture
Figure 4: The String Matching Engine of the High Throughput Architecture [2]
Related works (cont’d)…String matching architecture
Support for Non-interrupting Update Automated systems are used Faster than old FPGA (Field-programmable gate array )
based techniques
Figure 5: Non-interrupting update support [2]
Related works (cont’d)…Analysis of the design Theoretical optimal partitioning
For a set of strings S each with L characters per string, the total number of bits the architecture requires is
Tn,g = n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
Where n is number of state machine per rule module and g is the group size.
n Fanout Storage in bits Tn,g
2 16 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
4 4 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
8 2 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)
Table 1: Optimal module size [2]
Related works (cont’d).. Analysis of the design Throughput analysis
Description Throughput(Gbps)
Char/Area(1/mm2)
Notes
Bit Split FSM(Group Size 16)
10.0749.7599.326
55.21972.592
156.569
Bank size 64BBank size 128BBank size 256B
Sourdis and Pnevmatikatos Pre-decoded CAMs
9.7084.913
23.48222.682
4B/cc, Virtex2-60004B/cc,Spartan3-5000
Hutchings et al.Regular Expressions
0.2480.400
32.49632.496
1B/cc, Virtex-10001B/cc, Virtex-1000
……. …….. ……. …….
Table 2: Detailed Comparison of the Bit Split FSM Design and existing FPGA-based Designs [2]
Related works Utilizing fuzzy logic and neural network for IDS in
wireless environment
Current IDS No correlation between Host-base IDS and Network-base
IDS
Database need to be update frequently for missed attack
Log file need to be analyze for a long period of time
A problem with Anomaly Detection is that a user over time can train the system to accept anomalous behavior as normal, by slowly adding to the attack
Related works (cont’d)…Fuzzy logic and neural network
Difference
Figure 6: Comparison between Traditional and Alternative Misuse Detection [3]
Related works (cont’d)…Fuzzy logic and neural network
NeWPAIM-W2 Model
Figure 7: General Representation of NeGPAIM-W2 [3]
Related works (cont’d)…Fuzzy logic and neural network
The Fuzzy Engine
The fuzzy engine is one of the two low-level processing units of NeGPAIM-W2 and will process the input data.
This engine is responsible for implementing the Misuse Detection methodology.
The fuzzy engine will compute a template firstly, and the user action graph will be mapped against it to determine whether or not a user (intruder) has been, or is performing an intrusion attack.
Related works (cont’d)…Fuzzy logic and neural network
Neural Engine
Second low level processing engine
Its also process input data
This engine will process the data and search through it for patterns of abnormal user behaviors that may be occurring.
Related works (cont’d)…Fuzzy logic and neural network
Central Analysis Engine
To determine the source of an attack.
To determine the type of attack being currently perpetrated by the attacker.
To take into account all information gathered from various sources and to determine an overall intrusion probability.
Finally the engine uses the overall intrusion probability value along with the type of and source of the intrusion attack to perform a response to the intruder’s actions.
Related works (cont’d).. Analysis of the design
Fuzzy Engine
Neural Engine
Central Analysis Engine
6/9/75% risk
5/8/70% risk
7/10/80% risk
Figure 8: Risk analysis
Related works (cont’d).. Analysis of the design
Method of Testing Tested by fully functional prototype call Sentinel IDS Test Bed
Microsoft Windows OS Tools
Airodump, Aireplay, Aircrack, Super-Scan and Brutus Misuse test by Fuzzy Engine
98% accurate Anomaly test by Neural Engine
97% accurate
Our observations Data Collection, Management and Analysis for IDS…
Cumbersome and unwieldy to manage 2 or maybe more networks.
Need to backup management station
String matching architecture Applicable to general search problems on general state
machines Possible to improvement throughput
By reading in more than one byte Possible to extend the number of next states
By reading in more than one byte Need to multiply throughput with reasonable increase in
storage size.
Our observations (cont’d) Intrusion detection with fuzzy logic and neural
network Needs rigorous test Potential bugs and vulnerabilities might weaken the
WLAN security Cost of the wireless IDS solution may grow with the size
of the WLAN
Our observations (cont’d)…New Architecture
Fuzzy EngineCentral Analysis Engine
6/9/75% risk
5/8/70% risk
7/10/80% riskNeural Engine
Sticky GUM Architecture for Data Collection
Access Point Logs
High Throughput String Matching Rule based Architecture
Database
Figure 9: Modified architecture for Intrusion Detection System
Conclusion Observed steps
Investigation of new approach to data collection, management and analysis for IDS using Gumstix
Investigation of high throughput string matching architecture for IDS
Utilization of fuzzy logic and neural network for IDS using the model NeGPAIM-W2
Our proposed idea Efficient and Effective Architecture for Intrusion
Detection System
Acknowledgement We would like to thank our professor for his great support and
giving us the opportunity to learn about network security
We would like to thank our audience for listening our presentation
References[1] E. Derrick, R. Tibbs, L. Reynolds. Investigating new approaches to data collection,
management and analysis for network intrusion detection. In Proc. of the 45th annual southeast regional conference ACM-SE 45, Pages: 283 - 287, Publisher: ACM Press, 2007.
[2] L. Tan, T. Sherwood. A high throughput string matching architecture for intrusion detection and prevention, In Proc. of the 32nd International Symposium on Computer Architecture, Vol. 33, Isuue 2, Pages: 112-122, Publisher: IEEE Computer Society, 2005.
[3] R. Goss, M. Botha, R. Solms. Utilizing fuzzy logic and neural networks for effective, preventative intrusion detection in a wireless environment. In Proc of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries SAICSIT '07, Vol. 26, Pages: 29 - 35, Publisher: ACM Press, 2007.
[4] Gumstix, Inc. Gumstix – Way small computing. Accessed at http://gumstix.com/index.html.
[5] S. A. Crosby and D. S. Wallach. Denial of service via algorithmic complexity attacks. In Proc. of USENIX Annual Technical Conference, June 2003.
[6] http://portal.acm.org/citation.cfm?id=1292491.1292495.
The End
Questions ?