NIC-based intrusion detection: A feasibility study

1
NIC-based intrusion detectionA feasibility study

• Srinivasan Parthasarathy
• Ohio State University
• Joint work with
• M. Otey, R. Noronha, G. Li and D.Panda

2
Roadmap

• Motivation and Approaches
• Challenges and Objectives
• Preliminary Work
• Algorithms
• Experimental Results
• Conclusions

3
Motivation
WAN
LAN
WAN
LAN
Conventional Security Setup
Adding NIC-based security
Legend
Host ( host-based security)
Firewall
NIC-based Intrusion Detection System
4
Why NIC-based Intrusion Detection

• Pros
• Better Coverage and Scalability
• More security end points
• Better Reliability and Performance
• Host is separate from NIC
• Adaptable, Flexible and Dynamic
• Intrusion patterns/rules can be modified on the
  fly so that the ID scheme can adapt.
• Possible Cons
• Efficiency and Performance of Network Messaging
• Solution ? Simple yet effective schemes are needed

5
Coverage and Scalability

• One-to-one mapping between NICs and hosts ?
  coverage
• Natural distribution of computation ? scalability
• Less aggregation ? Can detect more specific
  intrusions
• E.g. a firewall can detect host scans, a NIC is
  better positioned to track port scans.
• Can detect intrusion internal to a LAN
• Conventional setup cannot
• Cooperating NICs ? can potentially detect more
  complex exploits

6
Reliability and Performance

• Independence from host adds to reliability
• One extra security layer
• If host is contaminated NIC-security may still be
  activated
• If NIC is contaminated or detects an intrusion
  the host will still be secure
• Independence from host can improve performance
• Host OS is not frequently interrupted, can do
  other stuff
• If host is loaded, bandwidth not impacted as
  much.

7
Challenges

• Building specialized NIC hardware may be too
  expensive
• Our objective work with commodity NICs
• Resources on commodity NICs are limited
• Smaller memory, slower processor
• Efficiency on basic actions (message transfers) a
  crucial concern
• Impact of ID schemes on bandwidth of good
  messages
• Is NIC-based intrusion detection feasible?

8
Objectives of this study

• Design some simple algorithms for intrusion
  detection that are
• Efficient
• Utilize limited resources
• Evaluation Criteria
• Detection Accuracy
• Efficiency

9
Roadmap

• Motivation and Approaches
• Challenges and Objectives
• Preliminary Work
• Algorithms
• Experimental Results
• Conclusions

10
Basic Algorithms

• Port Scan Detector (PSD)
• Anomaly Detector
• Instantiation of Anomalous Client Detector
• Signature Detector
• Naïve Bayesian Classifier

11
Sample Instantiation
WAN
LAN
Adding NIC-based security
NIC-based Anomalous Client Detector
Legend
NIC-based Port Scan Detector
Host host-based security
Firewall
NIC-based Naïve Bayes Classifier
12
Port Scan Detector

• Is memory constrained?
• No
• One port, one bit ? 8KB
• Yes
• Length of bit vector B
• Many (65536) to one (B) mapping f from ports to
  bits (biased mapping possible)
• Is one bit vector enough?
• Difficult to refresh (lose all previous
  information), may not detect slow scans
• Sliding window ? N such vectors
• P max of packets per vector (reuse rate)
• How to combine?
• OR all bit vectors (low computational cost)
• How often to check and how to detect?
• F Detection Frequency
• S Threshold for port scan ( of 1s)

13
Anomalous Client Detector

• Goal Detect anomalous behavior
• E.g. Is this particular src?dest packet typical?
• Estimate P(srcIPdestIP) chan02
• Is P(srcIPdestIP) gt threshold?
• If yes, then detect normal
• If no, then detect anomaly
• Implementation
• Relies on hash tables
• Complete srcIP not modeled (only at the subnet
  level)
• Moderate/high memory utilization, low
  computational cost

14
Anomalous Client Detector (contd.)

• Threshold
• Dynamic, functionally dependent on destIP
• Must aid in discriminating amongst different
  levels of anomalous behavior
• E.g. A new client accessing web portal is less
  surprising than a new client accessing an
  internal machine
• We can use entropy to model this!
• Entropy of internal machine will be low.
• Entropy of external machine will be high.
• Extensions
• Non-stationary model (similar to port-scan
  detector)
• Can compare changes to P(srcIPdestIP) over time

15
Naïve Bayes Packet Classifier

• Simplified Naïve Bayes Classifier trained to
  identify the signature of seven different
  artificial intrusions.
• 6 features explicit in the packet header
• Protocol type, Protocol Flags, SrcPort, DestPort,
  SrcIP, DestPort (may be implicit),
• 1 derived feature
• E.g. connections in last X seconds, average
  deviation of TTL
• Implementation details
• Relatively high computational requirements

16
Roadmap

• Motivation and Approaches
• Challenges and Objectives
• Preliminary Work
• Algorithms
• Experimental Results
• Conclusions

17
Experimental Results

• Hardware Configuration
• 300 Mhz Pentium II, 128 MB memory
• 66 Mhz LANai 4 processor NIC, 1MB memory
• Software
• Synthetic datasets (described in paper)
• Training-Testing data split (standard)

18
Results Resource Requirements
19
Effect of Host Load on Bandwidth
20
Results Port Scan Detector
21
Results Anomalous Client Detector

• DARPA dataset
• 1 week attack-free data
• 1 week test data
• Only external tcp dump
• 13 million packets
• Detects 11/43 attacks
• Some spread over several packets
• Clustering alarms reduces false alarm rate
• Misses 32/43 attacks
• Uses only external TCP dump
• Several not detectable from just IP

• Synthetic dataset qualitative performance summary

Good Bad
Good 899486 0
Bad 790 99724
Typical Confusion Matrix
22
Results Naïve Bayes Classifier
Good Bad
Good 105118 0
Bad 67545 827337
Typical Confusion Matrix
23
Roadmap

• Motivation and Approaches
• Challenges and Objectives
• Preliminary Work
• Algorithms
• Experimental Results
• Conclusions

24
Related Work

• Intrusion detection
• Ton of recent work in this area
• Anomaly detection Forrest 97, Chan 02
• Signature detection, e.g. SNORT/BRO
• Hybrid strategies Barbara et al 2001/2002
• NIC based computing support
• Fast synchronization support Panda 01
• Fast support for application messaging Bershad
  98
• NIC based security
• Self securing devices Ganger 2001,2002
• Firewall security ? 3Com embedded firewall 2001

25
Current and Future Work

• Testing using real data (DARPA/NETFLOW)
• Port system to other NICs
• Faster Myrinet cards
• Effect of multiple processors per NIC ? Quadrics
• New detectors/algorithms?
• Effect of multiple detectors per NIC
• Distributed NIC-based ID schemes
• Combining NICHost based schemes
• Potentially lose out on some reliability at a
  gain of better techniques

26
Conclusions

• NIC-based intrusion detection can potentially be
  a useful addition to the overall network security
  system.
• Potentially impact
• Coverage, Scalability, Reliability, Performance,
  Flexibility
• Technological outlook looks good
• Multiprocessor NICs (Quadrics), 1Ghz NICs (soon)
• Preliminary results support argument
• However, there is a long way to go!

27
Questions?

• srini_at_cis.ohio-state.edu