The goal of an intrusion detection system is to detect inappropriate, incorrect, and unusual activity on a network or on the hosts belonging to a local network by monitoring network activity. To determine if an attack has occurred or if one has been attempted typically requires sifting through huge amounts of data (gathered from the network, host or file system) looking for clues of suspicious activity. There are two general approaches to this problem — signature detection (also known as misuse detection), where one looks for patterns of well-known attacks, and anomaly detection, that looks for deviations from normal behavior.
Most work on signature and anomaly detection has relied on detecting intrusions at the level of the host processor. A problem with that approach is that even if intrusion activity is detected, one is often unable to prevent the attack from disrupting the system and over utilizing the system CPU (e.g. in the case of denial-of-service attacks).
As an alternative to relying on the host’s CPU to detect intrusions there is growing interest in utilizing the NIC (network interface card) as part of this process, too. The primary role of NICs in computer systems is to move data between devices on the network. A natural extension to this role would be to actually police the packets forwarded in each direction by examining packet headers and simply not forwarding suspicious packets.
Recently there has been a fair amount of activity in the area of NIC-based computing. Related to the work on NIC-based intrusion detection systems is the use of NICs for firewall security. The idea is to embed firewall-like security at the NIC level. Firewall functionality, such as packet filtering, packet auditing, and support for multi-tiered security levels, has been proposed and, actually, commercialized in 3Com’s embedded firewall.
The rationale for coupling NIC-based intrusion detection with conventional host-based intrusion detection is based on the following points:
· Functions such as signature- and anomaly-based packet classification can be performed on the NIC, which has its own processor and memory. This makes it virtually impossible to bypass or to tamper with (as compared with software-based systems that rely on the host operating system).
· If the host is loaded with other programs running simultaneously (with the intrusion detection software), then an intrusion detection system that relies on host processing may be slowed down, thereby adversely affecting the bandwidth available for network transmissions. A NIC-based strategy will not be affected by the load on the host.
· With centralized intrusion detection systems one encounters a problem associated with scalability — however, this is not the case with NIC-based intrusion detection. Each individual NIC can handle the in-bound and out-bound traffic of the particular processor/local area network it is connected with, thus effectively distributing the work load.
· NIC-based strategies provide better coverage and functional separation since internal NICs can detect portscans while NICs at the firewall can detect host-scans.
· The NIC-based scheme is flexible, dynamically adaptive, and can work in conjunction with existing host-based intrusion detection systems. The host-based intrusion detection system can download new rules/signatures into the NIC on the fly, making the detection process adaptive.
The current disadvantage to NIC-based intrusion detection is that processing capability on the NIC is much slower and the memory sub-system is much smaller when compared with the host. The task of implementing algorithms on the NIC presents several new challenges. For example, NICs typically are not capable of performing floating point operations. As a result, algorithms implemented for the NIC are forced to resort to estimates based on fixed-point operations. There is also a need to limit the impact on bandwidth and latency for normal, non-intrusive messages. So, the challenge becomes how best to use the NIC’s processing capabilities for intrusion detection.
There are two general approaches to the problem of intrusion detection: signature detection (also known as misuse detection), where one looks for patterns that signal well-known attacks, and anomaly detection, that looks for deviations from normal behavior. Signature detection works reliably on known attacks, but has the obvious disadvantage of not being able to detect new attacks. Though anomaly detection can detect novel attacks, it has the drawback of not being able to discern intent. It can only signal that some event is unusual, but not necessarily hostile, thus generating false alarms.
Signature detection methods are better understood and widely applied. They are used in both host based systems, such as virus detectors, and in network based systems such as SNORT and BRO. These systems use a set of rules encoding knowledge gleaned from security experts to test files or network traffic for patterns known to occur in attacks. A limitation of these systems is that as new vulnerabilities or attacks are discovered, the rule set must be manually updated. Another disadvantage is that minor variations in attack methods can often defeat such systems.
Anomaly detection is a harder problem than signature detection because while signatures of attacks can be very precise, what is considered normal is more abstract and ambiguous. Rather than finding rules that characterize attacks, one attempts to find rules that characterize normal behavior. Since what is considered normal could vary across different environments, a distinct model of normalcy can be learned individually. Much of the research in anomaly detection uses the approach of modeling normal behavior from a (presumably) attack-free training set. Because we cannot predict all possible non-hostile behavior, false alarms are inevitable. Researchers found that when a vulnerable UNIX system program or server is attacked (for example, using a buffer overflow to open a root shell), that the program makes sequences of system calls that differ from the sequences found under normal operation.
Current network anomaly detection systems such as NIDES , ADAM , and SPADE model only features of the network and transport layer, such as port numbers, IP addresses, and TCP flags. Models built with these features could detect probes (such as port scans) and some denial of service (DOS) attacks on the TCP/IP stack, but would not detect attacks of the type where the exploit code is transmitted to a public server in the application payload. Most current anomaly detectors use a stationary model, where the probability of an event depends on its average rate during training, and does not vary with time. While most research in intrusion detection has focused on either signature detection or anomaly detection, most researchers have realized that the two models must work hand-in-hand to be most effective.
The quantitative improvements that were observed for NIC-based IDS when tested against Host-based IDS can be attributed to the fact the operating system of the host does not have to be interrupted with the detection process. Thus on heavily loaded hosts admissible network traffic proceeds at a consistent rate provided the computational and memory resources of the NIC are not stretched. The benefit of having the NIC do the policing is that it can actually prevent network-based intrusions from wrecking havoc on host systems — since the intrusive packet, if caught, never reaches the host operating system. In effect, the NIC acts as a basic shield for the host. If the NIC cannot catch up with the rate the packets are arriving, it can begin dropping the packets as this may be indicative of a denial-of-service attack. If the NIC were to become overwhelmed by a such an attack, the host would be spared from it. It is preferable to sacrifice only the NIC to the attack rather than the entire host machine. However, from a technology perspective we are not far away from 1GHz NIC processors (with appropriately larger memory). With those projected systems one can anticipate that NIC-based intrusion detection will do better both from a quantitative standpoint and from a a qualitative standpoint (as less restrictive and more robust algorithms may be employed).
Last year CyberGuard Corp. announced the availability of the SnapGear PCI635, an embedded firewall network card that fits into standard peripheral slots in PC desktops and servers. The card allows deployment of advanced network security functions, such as virtual private network and firewall and intrusion detection, that protect individual servers and desktops from internal and external threats. The PCI635 can also be configured to prevent desktop users from tampering with security settings, further reducing the threat of security breaches from people on the internal network.
Because this is a NIC-based firewall/VPN/IDS device that is independent of the host, the PCI635 makes the desktop system immune to Windows vulnerability exploits. This is important since software-based security solutions can be rendered useless if the OS is exploited, compromising the computer and potentially the internal network. The intrusion detection system (IDS) is based on Snort and increases security by identifying known security attacks.