1. Hao Che/University of Texas at Arlington 1CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes) Hao Che Department of Computer Science and Engineering University of Texas at Arlington

2. Hao Che/University of Texas at Arlington 2CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Outline MotivationsMotivations Proposed SolutionProposed Solution Thoughts on attack identificationThoughts on attack identification Research goalResearch goal

3. Hao Che/University of Texas at Arlington 3CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Motivations Intrusion detection systems (IDSes) must be distributed in dealing with distributed attacksIntrusion detection systems (IDSes) must be distributed in dealing with distributed attacks There are various types of DIDSes being built including:There are various types of DIDSes being built including: Host-based versus network-basedHost-based versus network-based Host-based DIDSHost-based DIDS Network-based DIDSNetwork-based DIDS Hybrid DIDSHybrid DIDS Centralized versus distributedCentralized versus distributed DIDS with centralized controlDIDS with centralized control DIDS with distributed controlDIDS with distributed control Both may be hierarchical or flatBoth may be hierarchical or flat

4. Hao Che/University of Texas at Arlington 4CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Motivations A DIDS should beA DIDS should be Robust: able to cope with partial failures of the DIDS through, e.g., dynamic resource sharing and dynamic load balancingRobust: able to cope with partial failures of the DIDS through, e.g., dynamic resource sharing and dynamic load balancing Flexible: able to allow, e.g., fast run-time software upgrade and rule table update, and flow tracking at various granularitiesFlexible: able to allow, e.g., fast run-time software upgrade and rule table update, and flow tracking at various granularities Scalable: able to keep up with multigigabit line rates and scale to large sized networkScalable: able to keep up with multigigabit line rates and scale to large sized network In general, the existing DIDSes cannot meet all the above requirements simultaneously:In general, the existing DIDSes cannot meet all the above requirements simultaneously: Most DIDSes do not address robustness issueMost DIDSes do not address robustness issue Software based IDSes cannot keep up with gigabit line ratesSoftware based IDSes cannot keep up with gigabit line rates Hardware based solutions are lack of flexibilityHardware based solutions are lack of flexibility

5. Hao Che/University of Texas at Arlington 5CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution Network level: building a Secured DIDS Overlay using multipath for: both link and node resource optimization fast failure recovery Network-based IDS Point-to-point multipath Host-based IDS Point-to-multipoint (multipoint-point) multipath

6. Hao Che/University of Texas at Arlington 6CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution Node level: a hybrid solution for network-based IDS design:Node level: a hybrid solution for network-based IDS design: Separation of string matching into header matching and payload string matchingSeparation of string matching into header matching and payload string matching Stateful and stateless header matching and load balancing are handled by a fully run-time programmable network processor at multigigabit rateStateful and stateless header matching and load balancing are handled by a fully run-time programmable network processor at multigigabit rate Payload string matching is performed by a set of traditional sensors at lower ratesPayload string matching is performed by a set of traditional sensors at lower rates A network-based IDS may operate in one of the two modes: stealthy mode or inline modeA network-based IDS may operate in one of the two modes: stealthy mode or inline mode

7. Hao Che/University of Texas at Arlington 7CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution Stealthy Mode: for intrusion detection onlyStealthy Mode: for intrusion detection only tap To Remote Sensors Local Sensors Traffic Manager FramerSerDes TCAM Coprocessor CPU MEM Line Card Inline Mode: for both intrusion detection and preventionInline Mode: for both intrusion detection and prevention To Remote Sensors Local Sensors Traffic Manager FramerSerDes TCAM Coprocessor CPU MEM Line Card Network Monitored Network Processor IDS Console

8. Hao Che/University of Texas at Arlington 8CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution Intel IXP 2800 Multigigabit Network Processor: Micro-engines (MEs) can be configured to work in pipeline and/or parallelMicro-engines (MEs) can be configured to work in pipeline and/or parallel Each ME runs its own micro-code and the micro-code can be swapped at run-timeEach ME runs its own micro-code and the micro-code can be swapped at run-time XScale Core maintains flow state and any other control plane functionsXScale Core maintains flow state and any other control plane functions

9. Hao Che/University of Texas at Arlington 9CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution A Four-Stage Configuration: 1 st stage: one ME distributes packets evenly to the MEs in the 2 nd stage1 st stage: one ME distributes packets evenly to the MEs in the 2 nd stage 2 nd stage: a set of MEs performs stateful flow classification and load balancing2 nd stage: a set of MEs performs stateful flow classification and load balancing 3 rd stage: a set of MEs reorder the out-of-order packets received from the 2 nd stage3 rd stage: a set of MEs reorder the out-of-order packets received from the 2 nd stage 4 th stage: outgoing packets are scheduled based on their QoS requirements4 th stage: outgoing packets are scheduled based on their QoS requirements dispatcher load balancer sequencerscheduler

10. Hao Che/University of Texas at Arlington 10CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. A Proposed Solution Summary of the proposed solution: It enhances the robustness, flexibility, and scalability of the existing DIDSesIt enhances the robustness, flexibility, and scalability of the existing DIDSes In the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion preventionIn the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion prevention The run-time programmability of the proposed IDS is an important capability which can be further exploited to build intelligent DIDSThe run-time programmability of the proposed IDS is an important capability which can be further exploited to build intelligent DIDS

11. Hao Che/University of Texas at Arlington 11CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Thoughts on Attack Identification Two candidate techniques: Robust identificationRobust identification Frequency domain analysisFrequency domain analysis Two key components in a DIDS: Attack identificationAttack identification Alert correlationAlert correlation

12. Hao Che/University of Texas at Arlington 12CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Thoughts on Attack Identification A state-of-the-art robust identification technique developed by experts in Control AreaA state-of-the-art robust identification technique developed by experts in Control Area Problem Statement:Problem Statement: Given:Given: a model of the plant under normal conditions G o (λ, ∆ o )a model of the plant under normal conditions G o (λ, ∆ o ) failure dynamics G i (λ, ∆ i )failure dynamics G i (λ, ∆ i ) a bound δ on the measurement noisea bound δ on the measurement noise Uncertainty sets ∆ iUncertainty sets ∆ i N input/output experiment measurementsN input/output experiment measurements Determine:Determine: 1.Whether a fault has occurred 2.In that case, isolate it and determine its strength Can be used for both anomaly and misuse detectionsCan be used for both anomaly and misuse detections

13. Hao Che/University of Texas at Arlington 13CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Thoughts on Attack Identification An immature thought on alert correlationAn immature thought on alert correlation Frequency domain analysis may play an important role because:Frequency domain analysis may play an important role because: Power spectrum captures the relative strength of the correlated signals at different frequencies or timescalesPower spectrum captures the relative strength of the correlated signals at different frequencies or timescales It is a mature research field and various tools are ready availableIt is a mature research field and various tools are ready available

14. Hao Che/University of Texas at Arlington 14CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Research Goal Research goal by the end of this summer: a detailed architecture of the proposed research with one of two possible outcomes:Research goal by the end of this summer: a detailed architecture of the proposed research with one of two possible outcomes: 1.A DIDS architecture with the proposed solution integrated with a new anomaly and misuse detection mechanism 2.A DIDS architecture that integrates the proposed solution with an existing DIDS The outcome will serve two purposes:The outcome will serve two purposes: 1.A proposal for funding opportunities 2.The basis for the development of such a DIDS

15. Hao Che/University of Texas at Arlington 15CSIIR and IOC 1 st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab. Thanks!!!