1 / 34

Efficient and Effective Architecture for Intrusion Detection System

Efficient and Effective Architecture for Intrusion Detection System. Prepared by Ashif Adnan, Omair Alam, Akhtaruzzaman School of Computer Science University of Windsor ON, Canada. Outline. Introduction Motivation Goal Related works Our observations Conclusion Acknowledgment

alva
Télécharger la présentation

Efficient and Effective Architecture for Intrusion Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient and Effective Architecture for Intrusion Detection System Prepared by Ashif Adnan, Omair Alam, Akhtaruzzaman School of Computer Science University of Windsor ON, Canada

  2. Outline • Introduction • Motivation • Goal • Related works • Our observations • Conclusion • Acknowledgment • References

  3. Introduction • Ubiquitous computing environment • Intrusion Detection Systems • Misuse based • Anomaly based • Intrusion determination • False positive • False negative • Intrusion detection rules • Proactive intrusion detection

  4. Motivation • Tremendous growth of network • More availability of information • Need for information security • Growing importance of IDS • Lack of efficiency in data collection • Inefficiency and inaccuracy in analyzing attacks • Complexity in rules checking

  5. Goal • Effective, • Efficient and • Secured Intrusion Detection System

  6. Related works • New Approaches to Data Collection, Management and Analysis for IDS • Basic concept used was SMASH • SMASH – A Secure Monitoring System for Information Assurance, Analysis and survivability of Network Hazards. • Basic need for implementing SMASH was Network Security. • The analysis will help reduce false positives and false negative determinations of intrusions

  7. Related works (cont’d)…Data Collection, Management and Analysis • Requirements for implementing SMASH sensors • Low cost • No extreme bandwidth requirements • Flexible • Scalable • Wireless networks fulfills all of these requirements • Additional advantage that sensors can be moved without disruption of the operational network

  8. Related works (cont’d)…Data Collection, Management and Analysis • Features of Gumstix used • It is a miniature computer which comes preloaded with Linux operating system. • A 400 MHz processor • NetCf stick, which combines a 100Mbps Ethernet interface with a compact flash card adapter • A compact flash wireless card • It measures only 4” long by ¾” wide and ½” thick. • The motherboards measure 80 mm x 20 mm x 6.3 mm.

  9. Related works (cont’d)…Data Collection, Management and Analysis Figure 1: Gumstix Computers Figure 2: Gumstix Motherboard Graphic Reference: http://www.gumstix.com/

  10. Related works (cont’d)…Data Collection, Management and Analysis • Collecting Data using Gumstix • Setting up the network • Sensor(Gumstix) as the sniffer • A central management system • Network monitoring software such as Tcpdump • IDS application such as Snort • Java application using socket programming

  11. Related works (cont’d)…Data Collection, Management and Analysis Figure 3: Gumstix Network Setup

  12. Related works (cont’d)…Data Collection, Management and Analysis • Managing Data over Wireless • Key issue- Communication with the controlling workstation • If the sensor undergoes DDOS attack, then its ability to send the data back to the controller may have become compromised. • So the best solution is to make the sensor communicate with the management station on a dedicated, isolated network. • But an additional wired network becomes unmanageable, so a wireless network is used.

  13. Related works (cont’d)…Analysis of the design • Analyzing data with Data Fusion and Data Mining Techniques • Data Fusion, is generally defined as the use of techniques that combine data from multiple sources and gather that information in order to achieve inferences, which will be more efficient than if they were achieved by means of a single source. • Data Mining is the principle of sorting through large amounts of data and picking out relevant information. • The combination of data fusion and data mining techniques has the greatest potential to solve a major drawback of IDS: the unacceptable numbers of false positives and false negatives.

  14. Related works…cont’d • High throughput string matching architecture for IDS/IPS • IDS/IPS requirements • Worst Case Performance • Non-Interrupting Rule Update • High Throughput per Area

  15. Related works (cont’d)…String matching architecture • String Matching Engine • String is broken down into a set of small state machine • Hierarchical architecture • Highest level is the full device • Each device holds the entire set of strings • Reads character in every cycle • Computes the set of matches and reports • Devices can be replicated

  16. Related works (cont’d)…String matching architecture Figure 4: The String Matching Engine of the High Throughput Architecture [2]

  17. Related works (cont’d)…String matching architecture • Support for Non-interrupting Update • Automated systems are used • Faster than old FPGA (Field-programmable gate array ) based techniques Figure 5: Non-interrupting update support [2]

  18. Related works (cont’d)…Analysis of the design • Theoretical optimal partitioning • For a set of strings S each with L characters per string, the total number of bits the architecture requires is Tn,g = n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g) Where n is number of state machine per rule module and g is the group size. Table 1: Optimal module size [2]

  19. Related works (cont’d).. Analysis of the design • Throughput analysis Table 2: Detailed Comparison of the Bit Split FSM Design and existing FPGA-based Designs [2]

  20. Related works • Utilizing fuzzy logic and neural network for IDS in wireless environment • Current IDS • No correlation between Host-base IDS and Network-base IDS • Database need to be update frequently for missed attack • Log file need to be analyze for a long period of time • A problem with Anomaly Detection is that a user over time can train the system to accept anomalous behavior as normal, by slowly adding to the attack

  21. Related works (cont’d)…Fuzzy logic and neural network • Difference Figure 6: Comparison between Traditional and Alternative Misuse Detection [3]

  22. Related works (cont’d)…Fuzzy logic and neural network • NeWPAIM-W2 Model Figure 7: General Representation of NeGPAIM-W2 [3]

  23. Related works (cont’d)…Fuzzy logic and neural network • The Fuzzy Engine • The fuzzy engine is one of the two low-level processing units of NeGPAIM-W2 and will process the input data. • This engine is responsible for implementing the Misuse Detection methodology. • The fuzzy engine will compute a template firstly, and the user action graph will be mapped against it to determine whether or not a user (intruder) has been, or is performing an intrusion attack.

  24. Related works (cont’d)…Fuzzy logic and neural network • Neural Engine • Second low level processing engine • Its also process input data • This engine will process the data and search through it for patterns of abnormal user behaviors that may be occurring.

  25. Related works (cont’d)…Fuzzy logic and neural network • Central Analysis Engine • To determine the source of an attack. • To determine the type of attack being currently perpetrated by the attacker. • To take into account all information gathered from various sources and to determine an overall intrusion probability. • Finally the engine uses the overall intrusion probability value along with the type of and source of the intrusion attack to perform a response to the intruder’s actions.

  26. Fuzzy Engine 5/8/70% risk Central Analysis Engine 6/9/75% risk Neural Engine 7/10/80% risk Related works (cont’d).. Analysis of the design Figure 8: Risk analysis

  27. Related works (cont’d).. Analysis of the design • Method of Testing • Tested by fully functional prototype call Sentinel IDS • Test Bed • Microsoft Windows OS • Tools • Airodump, Aireplay, Aircrack, Super-Scan and Brutus • Misuse test by Fuzzy Engine • 98% accurate • Anomaly test by Neural Engine • 97% accurate

  28. Our observations • Data Collection, Management and Analysis for IDS… • Cumbersome and unwieldy to manage 2 or maybe more networks. • Need to backup management station • String matching architecture • Applicable to general search problems on general state machines • Possible to improvement throughput • By reading in more than one byte • Possible to extend the number of next states • By reading in more than one byte • Need to multiply throughput with reasonable increase in storage size.

  29. Our observations (cont’d) • Intrusion detection with fuzzy logic and neural network • Needs rigorous test • Potential bugs and vulnerabilities might weaken the WLAN security • Cost of the wireless IDS solution may grow with the size of the WLAN

  30. Our observations (cont’d)…New Architecture Database High Throughput String Matching Rule based Architecture Central Analysis Engine 6/9/75% risk 5/8/70% risk Fuzzy Engine 7/10/80% risk Neural Engine Sticky GUM Architecture for Data Collection Access Point Logs Figure 9: Modified architecture for Intrusion Detection System

  31. Conclusion • Observed steps • Investigation of new approach to data collection, management and analysis for IDS using Gumstix • Investigation of high throughput string matching architecture for IDS • Utilization of fuzzy logic and neural network for IDS using the model NeGPAIM-W2 • Our proposed idea • Efficient and Effective Architecture for Intrusion Detection System

  32. Acknowledgement • We would like to thank our professor for his great support and giving us the opportunity to learn about network security • We would like to thank our audience for listening our presentation

  33. References [1] E. Derrick, R. Tibbs, L. Reynolds. Investigating new approaches to data collection, management and analysis for network intrusion detection. In Proc. of the 45th annual southeast regional conference ACM-SE 45, Pages: 283 - 287, Publisher: ACM Press, 2007. [2] L. Tan, T. Sherwood. A high throughput string matching architecture for intrusion detection and prevention, In Proc. of the 32nd International Symposium on Computer Architecture, Vol. 33, Isuue 2, Pages: 112-122, Publisher: IEEE Computer Society, 2005. [3] R. Goss, M. Botha, R. Solms. Utilizing fuzzy logic and neural networks for effective, preventative intrusion detection in a wireless environment. In Proc of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries SAICSIT '07, Vol. 26, Pages: 29 - 35, Publisher: ACM Press, 2007. [4] Gumstix, Inc. Gumstix – Way small computing. Accessed at http://gumstix.com/index.html. [5] S. A. Crosby and D. S. Wallach. Denial of service via algorithmic complexity attacks. In Proc. of USENIX Annual Technical Conference, June 2003. [6] http://portal.acm.org/citation.cfm?id=1292491.1292495.

  34. The End Questions ?

More Related