Network security: NIC-based intrusion detection systems
Overview
The goal of an intrusion detection system is to detect inappropriate, incorrect, and unusual activity on a network or on hosts belonging to a local network by monitoring network activity. Determining if an attack has occurred or if one has been attempted typically requires analyzing large amounts of data (gathered from the network, host, or file system) for clues of suspicious activity. There are two general approaches to this problem: signature detection (also known as abuse detection), which looks for known attack patterns, and anomaly detection, which looks for deviations from normal behavior.
Most of the work on signature and anomaly detection has been related to intrusion detection at the host processor level. One problem with that approach is that even if intrusion activity is detected, often you cannot prevent the attack from disrupting the system and overusing the system’s CPU (for example, in the case of denial-of-service attacks).
As an alternative to relying on the host CPU to detect intrusions, there is also growing interest in using the NIC (Network Interface Card) as part of this process. The primary function of NICs in computer systems is to move data between devices on the network. A natural extension of this feature would be to actually keep an eye on forwarded packets in each direction by examining the packet headers and simply not forwarding suspicious packets.
There has been a fair amount of activity recently in the area of NIC-based computing. Related to work on NIC-based intrusion detection systems is the use of NICs for firewall security. The idea is to embed firewall-like security at the NIC level. Firewall functionality, such as packet filtering, packet auditing, and support for multi-level security layers, has been proposed, and indeed has been, commercialized in the 3Com Integrated Firewall.
Rational
The rationale for coupling NIC-based intrusion detection with conventional host-based intrusion detection is based on the following points:
· Functions such as signature-based packet classification and anomalies can be performed on the NIC, which has its own processor and memory. This makes it virtually impossible to bypass or manipulate it (compared to software-based systems that rely on the host operating system).
· If the host is loaded with other programs running concurrently (with intrusion detection software), then an intrusion detection system that relies on host processing can slow down, negatively affecting the bandwidth available for transmissions. network. A NIC based strategy will not be affected by the load on the host.
· With centralized intrusion detection systems, one encounters a problem associated with scalability; however, this is not the case with NIC-based intrusion detection. Each individual NIC can handle the incoming and outgoing traffic of the particular processor/local area network to which it is connected, thus effectively distributing the workload.
· NIC-based strategies provide better coverage and functional separation, as the internal NICs can detect port scans, while the NICs in the firewall can detect host scans.
· The NIC-based scheme is flexible, adapts dynamically, and can work alongside existing host-based intrusion detection systems. The host-based intrusion detection system can download new rules/signatures to the NIC on the fly, making the detection process adaptable.
The challenge
The current disadvantage of NIC-based intrusion detection is that the processing power on the NIC is much slower and the memory subsystem is much smaller compared to the host. The task of implementing algorithms on the NIC presents several new challenges. For example, NICs are typically not capable of floating point operations. As a result, the algorithms implemented for the NIC are forced to resort to estimates based on fixed-point operations. You also need to limit the bandwidth and latency impact of normal non-intrusive messages. Therefore, the challenge becomes how best to use the processing capabilities of the NIC for intrusion detection.
IDS algorithms
There are two general approaches to the intrusion detection problem: signature detection (also known as abuse detection), which looks for patterns that signal known attacks, and anomaly detection, which looks for deviations from normal behavior. Signature detection works reliably on known attacks, but has the obvious disadvantage of not being able to detect new attacks. Although anomaly detection can detect new attacks, it has the drawback of not being able to discern intent. It can only signal that some event is unusual, but not necessarily hostile, thus generating false alarms.
Signature detection methods are better understood and widely applied. They are used both in host-based systems, such as virus scanners, and in network-based systems, such as SNORT and BRO. These systems use a set of rules that encode knowledge obtained from security experts to test files or network traffic for patterns known to occur in attacks. One limitation of these systems is that as new vulnerabilities or attacks are discovered, the rule set must be manually updated. Another drawback is that minor variations in attack methods can often defeat such systems.
Anomaly detection is a more difficult problem than signature detection because while attack signatures can be highly accurate, what is considered normal is more abstract and ambiguous. Instead of finding rules that characterize attacks, one tries to find rules that characterize normal behavior. Since what is considered normal can vary in different settings, a different model of normality can be learned individually. Much of the research in anomaly detection uses the approach of modeling normal behavior from a (presumably) attack-free training set. Because we can’t predict all possible non-hostile behavior, false alarms are unavoidable. The researchers discovered that when a vulnerable UNIX system program or server is attacked (for example, by using a buffer overflow to open a root shell), the program makes system call sequences that differ from the sequences found in normal operation.
Current network anomaly detection systems, such as NIDES, ADAM, and SPADE, only model network and transport layer features, such as port numbers, IP addresses, and TCP flags. Models built with these features could detect probes (such as port scans) and some denial-of-service (DOS) attacks in the TCP/IP stack, but would not detect attacks of the type where exploit code is transmitted to a server. public in the app payload. Most current anomaly detectors use a stationary model, where the probability of an event depends on its average rate during training and does not vary with time. While most intrusion detection research has focused on either signature detection or anomaly detection, most researchers have realized that the two models need to work hand in hand to be most effective. .
Results
The quantitative improvements seen for NIC-based IDS when tested with host-based IDS can be attributed to the fact that there is no need to interrupt the host operating system with the discovery process. Therefore, on heavily loaded hosts, allowable network traffic progresses at a constant rate as long as the NIC’s memory and compute resources are not stretched. The advantage of having the NIC take over the surveillance is that it can prevent network-based intrusions from wreaking havoc on host systems, since the intruding packet, if detected, never reaches the host operating system. In effect, the NIC acts as a basic shield for the host. If the NIC cannot keep up with the rate at which the packets arrive, it can start dropping the packets, as this can be indicative of a denial of service attack. If the NIC were overwhelmed by such an attack, the host would be spared. It is preferable to sacrifice only the NIC to the attack rather than the entire host machine. However, from a technology perspective, we’re not too far behind 1GHz NIC processors (with appropriately larger memory). With those systems projected, one can anticipate that NIC-based intrusion detection will perform better from both a quantitative and a qualitative standpoint (since less restrictive and more robust algorithms can be employed).
Final comments
Last year CyberGuard Corp. announced the availability of the SnapGear PCI635, an integrated firewall network card that fits into standard peripheral slots in servers and desktop computers. The card enables the deployment of advanced network security features, such as virtual private network and firewall and intrusion detection, which protect servers and individual desktops from internal and external threats. The PCI635 can also be configured to prevent desktop users from tampering with security settings, further reducing the threat of security breaches by individuals on the internal network.
Because it is a NIC-based firewall/VPN/IDS device that is independent of the host, the PCI635 makes the desktop system immune to Windows vulnerabilities. This is important as software-based security solutions can become useless if the operating system is exploited, compromising the computer and potentially the internal network. The Intrusion Detection System (IDS) is based on Snort and increases security by identifying known security attacks.
