Recent Advances in Network Intrusion Detection System Tuning

1
Recent Advances in Network Intrusion Detection
System Tuning

• J. Sommers, V. Yegneswaran, and P. Barford
• University of Wisconsin-Madison
• Proceedings of the 40th IEEE Conference on
• Information Sciences and Systems / 2006

2
Introduction

• Malicious traffic in the Internet is growing at
  an alarming rate both in terms of
• volume
• diversity
• This motivates the need for methods and tools
  that can be used to asses and tune the
  capabilities of NIDS to a wide range of both
  malicious and benign traffic

3
Introduction (cont.)

• Standard Methods for NIDS testing
• use of canonical packet traces for offline tests
• traffic generation systems for online evaluation
  in a controlled laboratory setting (synthetic)

4
The work by McHugh

• Introduced a set of requirements for NIDS test
  traffic streams
• tests must be conducted with a diverse set of
  representative packet flows (including packet
  content) of both benign and malicious traffic
• take empirical traces from real networks for
  offline analysis

5
The Problem

• While many traffic generators have been developed
  for specific network systems tests, none of them
  address the problem of robust NIDS testing in
  particular
• The synthetic generation of diverse,
  representative benign traffic (including payload
  content) has not been well addressed

6
The Goal

• Create tools and a test methodology for
  evaluating and tuning the growing number of
  stateful protocol-aware IDS

7
Trident

• A collection of tools which can be used to
• generate packet traces for traditional offline
  evaluations
• generate packet traces for online performance
  characteristics of NIDS or other network systems
  (e.g. firewalls)

8
Trident Capabilities

• The ability to generate representative benign
  traffic streams, including payloads
• The ability to construct and generate new types
  of malicious traffic
• The ability to modulate the mixture of benign and
  malicious test traffic

9
Trident Capabilities (cont.)

• The ability to modulate the volume of both benign
  and malicious test traffic
• The ability to modulate temporal arrival
  processes of both benign and malicious test
  traffic

10
False Positives

• One of the most important aspects of NIDS
  evaluation is a thorough assessment of the
  systems propensity to generate alarms in the
  absence of malicious traffic (false positives)
• The quantity of false positives is intrinsically
  tied to both
• the NIDS under test
• the nature of benign traffic in the environment

11
False Positives (cont.)

• Therefore, the question becomes
• how to identify and isolate the benign traffic

12
Populating Trident Traffic

• NIDS-based Strategies
• use a standard NIDS such as Snort to groom a
  packet taken at a local site

13
Populating Trident Traffic (cont.)

• Synthetic Generation Strategies
• use synthetic traffic generated using software
  robots that emulate use behavior

14
Populating Trident Traffic (cont.)

• Trust-based Strategies
• groom a packet trace taken at a local site using
  connection heuristics (e.g. failure rates or
  scanning characteristics). This approach exploits
  the differences in connection characteristics of
  benign vs. malicious sources based on a model of
  malicious connection behavior

15
The Trident System

• Benign Traffic Generation
• dynamically generate diverse traffic streams
  based on knowledge obtained from a limited set of
  traces
• at the heart of the benign traffic generation
  system is a collection of automata with states
  that describes classes of packets observed in a
  specific service

16
The Trident System (cont.)

• Payload Classification
• classify packets in the trace into various pools
  that correspond to particular states of different
  service automata

17
The Trident System (cont.)

• Payload Sanitization
• payloads are discarded or modified to ensure that
  they do not violate a simple set of requirements

18
The Trident System (cont.)

• Content aware Traffic Generation via Harpoon
• harpoon is used to execute the application state
  machines and transmit sanitized payloads

19
The Trident System (cont.)

• Attack Traffic Generation
• general attack traffic creation
• enhanced MACE (a modular attack composition
  framework that support interpretation, execution,
  and exception handling of attack profiles)
• DARPA attack recreation
• the DARPA dataset provides a collection of 58
  different attack instances

20
Results
21
Results (cont.)