1 / 22

Kernel Mode Network Intrusion Detection

Like Zhang. Kernel Mode Network Intrusion Detection. Outlines. Network Intrusion Detection Overview Network Monitoring Solutions Network Layers in Windows Kernel Recent Research Work to do. What is Network Intrusion Detection. Complete packet inspection Complicated rules set

justice
Télécharger la présentation

Kernel Mode Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Like Zhang Kernel Mode Network Intrusion Detection

  2. Outlines • Network Intrusion Detection Overview • Network Monitoring Solutions • Network Layers in Windows Kernel • Recent Research • Work to do

  3. What is Network Intrusion Detection • Complete packet inspection • Complicated rules set • Able to inspect application layer data • Anomaly detection for unknown attacks

  4. NIDS v.s. Firewall

  5. How NIDS works System Kernel NIC NIC BUFFER DPC (Interrupt Handling) Packet Filter Driver System RAM User Mode Related applications Packet Analysis (Pattern matching or statistic analysis)

  6. Evolution of packet engine Early Stage • CMU/Stanford packet filter, 1987 Expression tree based Slow • Berkeley packet filter, 1993 DAG (CFG) based Efficient (fields are checked only once)

  7. Tree v.s. DAG Expression Tree Stack Simulation Directed Acyclic Graph

  8. Architecture of BPF

  9. The Interface • Libpcap • Winpcap Used by: tcpdump Ethereal Snort Available for: Perl, Java, .NET(C#), C/C++, Ruby, etc.

  10. Architecture of Winpcap

  11. Microsoft Solution • NDIS Driver Network Driver Interface Specification Microsoft and 3com, 1989 Standard windows driver for network adapters • .NET Network Monitoring Easy usage Very limited abilities

  12. Windows Network Kernel Overview Application layer NDIS Driver physic layer

  13. Winsock Implementation

  14. Windows NDIS Driver Overview Protocol Driver Filter Driver1 Filter Driver2 … Intermediate Driver (Virtual adapter)

  15. Kernel based IDS Research • Modifying Linux Kernel source code (for most researches) • Hooking up Windows Kernel (very few)

  16. Zero Copy Y. L, M. C, “Lyranet: A Zero-copy TCP/IP Protocol Stack for Embedded Operating Systems”, 2005 • Network packet go straight to system memory instead copy from kernel space

  17. Kernel Based Decision Tree B. Chung, J.N. Kim, S.W. Sohn, C. H. Park, “Kernel Level Intrusion Detection System for Minimum Packet Loss”, 2004 Perform simple rule checking in kernel Associate multiple packets for further processing in user mode

  18. Kernel Based PCA B. J. Kim, I. Kim, “Kernel Based Intrusion Detection System”, 2005 Use a modified PCA approach to perform real-time packet processing inside system kernel (linux) On-line feature extraction (modified PCA) Classification (Least Squares SVM) Online Detection

  19. Firewall based on NDIS Driver H. Chaokai, “Design and Implementation of a Personal Firewall Based on NDIS Intermediate Drivers”, 2007 Introduce the concept of implementing firewall using Microsoft NDIS driver

  20. Why kernel? • The first consideration when moving algorithm from theory to application • Most “perfect” intrusion detection algorithms only work for off-line experiment • No current software based IDS can handling large traffic volumes • Few related research exists • Important topic for industry

  21. What to do? • How much performance can be gained? • What is the best strategy to implement a NIDS? • How to communicate between kernel and user mode?

  22. Thanks!

More Related