NIC-based intrusion detectionA feasibility study.ppt

NIC-based intrusion detection:A feasibility study Srinivasan Parthasarathy Ohio State University Joint work with M. Otey, R. Noronha, G. Li and D.Panda Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions Motivation Why NIC-based Intrusion Detection Pros Better Coverage and Scalability More security end points Better Reliability and Performance Host is separate from NIC Adaptable, Flexible and Dynamic Intrusion patterns/rules can be modified on the fly so that the ID scheme can adapt. Possible Cons Efficiency and Performance of Network Messaging Solution ? Simple yet effective schemes are needed Coverage and Scalability One-to-one mapping between NICs and hosts ? coverage Natural distribution of computation ? scalability Less aggregation ? Can detect more specific intrusions E.g. a firewall can detect host scans, a NIC is better positioned to track port scans. Can detect intrusion internal to a LAN Conventional setup cannot Cooperating NICs ? can potentially detect more complex exploits Reliability and Performance Independence from host adds to reliability One extra security layer If host is contaminated NIC-security may still be activated If NIC is contaminated or detects an intrusion the host will still be secure Independence from host can improve performance Host OS is not frequently interrupted, can do other stuff If host is loaded, bandwidth not impacted as much. Challenges Building specialized NIC hardware may be too expensive Our objective: work with commodity NICs Resources on commodity NICs are limited Smaller memory, slower processor Efficiency on basic actions (message transfers) a crucial concern Impact of ID schemes on bandwidth of good messages Is NIC-based intrusion detection feasible? Objectives of this study Design some simple algorithms for intrusion detection that are: Efficient Utilize limited resources Evaluation Criteria Detection Accuracy Efficiency Roadmap Motiva