Overview
The goal of an intrusion detection system is to detect inappropriate, incorrect, and unusual activity on a network or on hosts belonging to a local network by monitoring network activity. Determining whether an attack has occurred or has been attempted typically requires scanning large amounts of data (collected from the network, host, or file system) for clues of suspicious activity. There are two general approaches to this problem: signature detection (also known as abuse detection), which looks for known attack patterns, and anomaly detection, which looks for deviations from normal behavior.
Most of the work on signature and anomaly detection has been related to intrusion detection at the host processor level. One problem with that approach is that even if intrusion activity is detected, it is often not possible to prevent the attack from bringing the system down and overusing the system’s CPU (for example, in the case of denial of service attacks).
As an alternative to relying on the host’s CPU to detect intrusions, there is also growing interest in using the NIC (Network Interface Card) as part of this process. The main function of NICs in computer systems is to move data between devices on the network. A natural extension of this function would be to actually keep an eye on the forwarded packets in each direction by examining the packet headers and simply not forwarding suspicious packets.
There has been a fair amount of activity recently in the area of NIC-based computing. Related to the work on NIC-based intrusion detection systems is the use of NICs for firewall security. The idea is to incorporate firewall-like security at the NIC level. Firewall functionality, such as packet filtering, packet auditing, and support for multi-tiered security levels, has been proposed and, in fact, marketed in 3Com’s Integrated Firewall.
Rational
The rationale for coupling NIC-based intrusion detection with conventional host-based intrusion detection is based on the following points:
· Functions such as signature-based and anomaly-based packet classification can be performed on the NIC, which has its own processor and memory. This makes it virtually impossible to circumvent or tamper with (compared to software-based systems that depend on the host OS).
· If the host is loaded with other programs running simultaneously (with intrusion detection software), then an intrusion detection system that relies on host processing can slow down, negatively affecting the bandwidth available for transmissions. network. A NIC-based strategy will not be affected by the load on the host.
· With centralized intrusion detection systems, one encounters a problem associated with scalability; however, this is not the case with NIC-based intrusion detection. Each individual NIC can handle the incoming and outgoing traffic of the particular processor/local area network it is connected to, thus distributing the workload effectively.
· NIC-based strategies provide better coverage and functional separation, as internal NICs can detect port scans, while NICs in the firewall can detect host scans.
· The NIC-based scheme is flexible, adapts dynamically, and can work alongside existing host-based intrusion detection systems. The host-based intrusion detection system can download new rules/signatures to the NIC on the fly, making the detection process adaptive.
The challenge
The current disadvantage of NIC-based intrusion detection is that the processing power on the NIC is much slower and the memory subsystem is much smaller compared to the host. The task of implementing algorithms in the NIC presents several new challenges. For example, NICs are typically not capable of floating point operations. As a result, the algorithms implemented for the NIC are forced to resort to estimations based on fixed point operations. You also need to limit the bandwidth and latency impact of normal, non-intrusive messages. Therefore, the challenge becomes how best to use the NIC’s processing capabilities for intrusion detection.
IDS Algorithms
There are two general approaches to the problem of intrusion detection: signature detection (also known as abuse detection), which looks for patterns that signal known attacks, and anomaly detection, which looks for deviations from normal behavior. Signature detection works reliably on known attacks, but has the obvious disadvantage of not being able to detect new attacks. Although anomaly detection can detect new attacks, it has the drawback of not being able to discern intent. It can only signal that some event is unusual, but not necessarily hostile, thus generating false alarms.
Signature detection methods are better understood and widely applied. They are used both in host-based systems, such as virus scanners, and in network-based systems, such as SNORT and BRO. These systems use a set of rules that encode knowledge gained from security experts to test files or network traffic for patterns known to occur in attacks. One limitation of these systems is that as new vulnerabilities or attacks are discovered, the rule set must be manually updated. Another drawback is that minor variations in attack methods can often defeat such systems.
Anomaly detection is a more difficult problem than signature detection because, while attack signatures can be very precise, what is considered normal is more abstract and ambiguous. Instead of finding rules that characterize attacks, one tries to find rules that characterize normal behavior. Since what is considered normal may vary in different settings, a different model of normality may be individually learned. Much of the research in anomaly detection uses the approach of modeling normal behavior from a (presumably) attack-free training set. Because we cannot predict all possible nonhostile behavior, false alarms are inevitable. The researchers found that when a program or server on a vulnerable UNIX system is attacked (for example, by using a buffer overflow to open a root shell), the program makes sequences of system calls that differ from the sequences found in normal operation.
Current network anomaly detection systems such as NIDES, ADAM, and SPADE only model network and transport layer characteristics such as port numbers, IP addresses, and TCP markings. Models built with these functions might detect probes (such as port scans) and some denial of service (DOS) attacks on the TCP/IP stack, but would not detect attacks of the type where exploit code is transmitted to a server. public in the payload application. Most current anomaly detectors use a stationary model, where the probability of an event depends on its average rate during training and does not vary with time. While most intrusion detection research has focused on either signature detection or anomaly detection, most researchers have realized that the two models must work hand in hand to be most effective. .
Results
The quantitative improvements seen for NIC-based IDSs when tested with host-based IDSs can be attributed to the fact that the host operating system does not need to be interrupted by the discovery process. Therefore, on heavily loaded hosts, allowable network traffic proceeds at a constant rate as long as the NIC’s compute and memory resources are not stretched. The advantage of having the NIC do the policing is that it can prevent network-based intrusions from wreaking havoc on host systems, since the intruding packet, if detected, never reaches the host operating system. In effect, the NIC acts as a basic shield for the host. If the NIC cannot keep up with the rate at which the packets arrive, it can start dropping them, as this may be indicative of a DoS attack. If the NIC were to be overwhelmed by such an attack, the host would be saved. It is preferable to sacrifice only the NIC to the attack rather than the entire host machine. However, from a technology perspective, we’re not too far off from 1GHz NIC processors (with appropriately larger memory). With those systems in place, one can anticipate that NIC-based intrusion detection will perform better both quantitatively and qualitatively (since less restrictive and more robust algorithms can be employed).
Final comments
Last year CyberGuard Corp. announced the availability of the SnapGear PCI635, an integrated firewall network card that fits into standard peripheral slots on servers and desktops. The card enables the deployment of advanced network security features, such as virtual private networking and firewall and intrusion detection, that protect individual servers and desktops from internal and external threats. The PCI635 can also be configured to prevent desktop users from tampering with security settings, further reducing the threat of security breaches by individuals on the internal network.
As a NIC-based firewall/VPN/IDS device that is host independent, the PCI635 makes the desktop system immune to Windows vulnerabilities. This is important as software-based security solutions can be rendered useless if the operating system is exploited, compromising the computer and potentially the internal network. The Intrusion Detection System (IDS) is based on Snort and increases security by identifying known security attacks.