Packet Pattern-Matching for Intrusion Detection

Download PDF
3 downloads 2570 Views 177KB Size Report
Comment
applications in network security, network monitoring, load balancing, and traffic management in general. ... enterprise network clients. Network-based defences ... At the heart of almost every modern security tool is a pattern matching algorithm.
Academic excellence for business and the professions

Packet Pattern-Matching for Intrusion Detection Alireza Shams City University of London, MSc Telecommunications and Networks [email protected]

Introduction

Packet Pattern Matching Algorithms

Wind River Intelligent Network Platform

In today’s networks, cyber-attacks cause damage or theft and disrupt services with enormous economic and financial impacts. Current methods to protect end-user systems rely on user cooperation to install new system patches or upgrade security software, with low speed. In addition, firewalls and intrusion detection systems in the network attempt to detect and block attacks. These systems require accurate and up-to-date signatures, and must operate in real time at high speeds. Software implementations cannot meet performance goals; a combination of software and hardware can be more effective for high performance pattern matching. Packet content scanning at high speed has become extremely important due to its applications in network security, network monitoring, load balancing, and traffic management in general. Host-based solutions are useful but have drawbacks: they do not scale well to large enterprises and detect threats only after they reach the targets. Continually updating antivirus software and installing patches are necessary but cumbersome for large numbers of enterprise network clients. Network-based defences can potentially block attacks before they reach hosts and protect large host populations more effectively. Firewalls and network intrusion detection systems (NIDS) are well-suited for this purpose. They scan packets to detect malicious intrusions or denial of service (DOS) attacks [1].

The fundamental string matching paradigm derives from the Aho-Corasick (AC) algorithm. This algorithm constructs a deterministic finite automaton (DFA) for detecting all occurrences in any given set of patterns by processing the input in a single pass, performing a state transition for each input byte. An alternative is the shift based paradigm that includes the Boyer-Moore (BM) as well as the modified Wu-Manber (MWM) algorithms .[2]

Wind River Intelligent Network Platform provides end-to-end deep packet inspection functionality that identifies traffic flows, communication protocols, and applications, and performs high-performance pattern matching.[3]

Intrusion Detection System(Snort) and Antivirus(ClamAV) It is possible, using the most up to date tools that are available, to protect against virtually every type of threat that is currently known about. Unfortunately, new threats and security holes in some software package or another are being discovered on a daily basis.

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto

At the heart of almost every modern security tool is a pattern matching algorithm. The networking environment of recent years demands coping with a set of new challenges in order to stay relevant against current security threats. This thesis present algorithms and techniques in the field of deep packet inspection that deal with such challenges: scalability demands, Web traffic compression and the security of the security tool itself. [2]

What Is Wrong With Traditional Method !

Conclusion

Aforementioned algorithms cannot cope with today’s increased amount of sources and speed. There are three major problem : Scalability It is essential to increase the speed and reduce the memory requirements of the pattern matching solutions. Compressed Traffic This method is used today for compressing HTTP text when transferring pages over the Web. The sharply increasing number of compressed Web pages is largely motivated by the increase in Web surfing over mobile devices. Sites such as Yahoo!, Google, MSN, YouTube, Facebook and others use HTTP compression to enhance the speed of their content download. For example, in February 2012, W3Techs published a ranking breakdown report which shows that 44.7% of the Web sites compress their traffic; when focusing on the top 1 000 sites, a remarkable 83.4% of the sites compress their traffic. [2] Resiliency Increased Traffic rates and compressed traffic are considered legitimate Internet phenomena. Still, NIDS and Firewall, as the security tools that protect against malicious users, are naturally becoming a favorable target for illegitimate phenomena such as denial-of-service attacks. A recent trend is a two-phase combined attack on security devices: the attackers first neutralize the device, for example, by overwhelming it with traffic, and then, when it has been knocked down, attack the assets it was protecting.[2]

This project will aim for breakthrough advances in packet pattern matching that will improve performance and capabilities compared to the current state-of-the-art, which is necessary due to the increasing speed and capacities of computer networks. The outcomes will be new algorithm, hardware/software design and theory which is appropriate for next generation of networks.

So What Is The Resolution standard for IPS. ClamAV is an open source (GPL) antivirus engine designed for detecting Four appropriate solutions provided : Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance multithreaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

1.Scalable Pattern Matching using Longest Prefix Match Solutions 2.Space-Efficient Deep Packet Inspection of Compressed Web Traffic 3.Multi Core Architecture for Mitigating Complexity Attacks[2] 4. Wind River Intelligent Network Platform

This research will investigate new algorithms for multi-pattern matching that can enable high performance hardware-based implementations for network filtering applications.

Acknowledgement The author would like to acknowledge prof. Tom Chen and prof. David Stupples for scientific advices and also Dr Ioannis Kaparias for all his advices in Research Skills classes.

References [1] F. Yu, R. Katz, and T. V. Lakshman. Gigabit rate packet pattern-matching using TCAM. In IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, Oct. 2004. [2] Koral, Y 2012, High Performance Deep Packet Inspection, Ph.D. Dissertation, Tel Aviv University [3] Dominic Milano. (28 Apr, 2013). Accelerating, Analyzing, and Securing Network Traffic. Building High-performance, Next-generation Networks with the Wind River Intelligent Network Platform on Intel®Architecture.