Presentation is loading. Please wait.

Presentation is loading. Please wait.

APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,

Similar presentations


Presentation on theme: "APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,"— Presentation transcript:

1 APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute 161 Gajeong-Dong, Yuseong-Gu, Daejeon, , KOREA Tel: , Fax: {kbg63228, ikkim21, ljk63466, kykim,

2 Security Gateway System Team, ETRIAPNOMS 2003 Introduction Overview of NSCS Environment CPCS SGS CPCS - CPCS: Cyber Patrol Control System - SGS: Security Gateway System

3 Security Gateway System Team, ETRIAPNOMS 2003 Architecture of NSCS PSAB(Packet Sensing and Analyzing Block) IDAB(Intrusion Detection and Analyzing Block) CPAB(Cyber Patrol Agent Block) COPS/IAP Client(Interface Block) COPS/IAP Server(Interface Block) PMB(Policy Management Block) AMB(Alert Management Block) SMB(System Management Block) HAB(High-Analyzer Block) CPCS SGS Viewer Inline Mode Operation

4 Security Gateway System Team, ETRIAPNOMS 2003 Detailed SGS Architecture Local Alert Manager COPS / IAP Client Local Policy Manager Local GUI Response Manager SNMP Agent Database Manager Filesystem /Database Application Task System Manager Data Structure for Rule IDAB : Kernel Module PCI Bus Flow StatisticsSensingBlockingForwarding PSAB : FPGA Logic Rule Mirror Table Preprocessor FilterFixed Field Pattern Matching IP defragmentation TCP reassembly Application decode Portscan detection Preprocessor Rule Manager Payload Pattern Matching IOCTL I/FSocket I/F

5 Security Gateway System Team, ETRIAPNOMS 2003 Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Detection Rule Configuration IP Group ICMP Group Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… UDP Group H/W Logic Rule Mirror Table Kernel Logic Rule Table Alert related Fields Detection related Fields 1:N matching TCP Group

6 Security Gateway System Team, ETRIAPNOMS 2003 H/W Rule Table ProtocolTCPUDPICMPIP SRC IP DST IP TTL IP ID Fragbits TCP Flags SRC Port DST Port Seq Ack ICMP type ICMP code ICMP ID ICMP Seq Matching ID

7 Security Gateway System Team, ETRIAPNOMS 2003 Detection Algorithm – H/W Packet Monitor PP Filter Check Kernel Preprocessing necessary? FF Pattern Search FF Pattern Matching? PP Flag=1 FF Flag=1 PP Flag=0 FF Flag=0 PP Flag= 1 Or FF Flag= 1 Packet Send PCI Bus KERNEL LOGIC YES NO - PP : Preprocessor - FF : Fixed Field

8 Security Gateway System Team, ETRIAPNOMS 2003 Detection Algorithm – KernelDetection Algorithm Packet Decode Pre process Payload Pattern Search Alert Send FPGA LOGIC PCI Bus PP Flag = 1 FF Flag = 1 Payload Pattern Matching? Preprocessor Detection? CPAB Socket Interface YES YES/NONO

9 Security Gateway System Team, ETRIAPNOMS 2003 SGS Prototype for NSCS FPGA Logic(H/W) Functions Wire-Speed Forwarding 5-Tuple based Flow Classification Statistics/Blocking/Sensing/Fixed Field Pattern Matching Kernel Logic Functions Linux kernel based Kernel Module Programming Payload Pattern Matching/Alert Generation

10 Security Gateway System Team, ETRIAPNOMS 2003 Conclusion & Future Work Present the architecture of NSCS Design the SGS of NSCS Design the architecture of SGS Design the ruleset configuration of SGS Design the FPGA logic and kernel logic of SGS Develop the prototype of SGS Future Work Improve the detection mechanism on high-speed links Guarantee the secure transmission of messages among the prototype systems Resolve the problem derived from the verification of implemented system

11 Security Gateway System Team, ETRIAPNOMS 2003


Download ppt "APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,"

Similar presentations


Ads by Google