Business For Sale

Overview

That looks for deviations from normal behavior, and anomaly detection, where one looks for patterns of well-known attacks, there are two general approaches to this problem -- signature detection (also known as misuse detection). Host or file system) looking for clues of suspicious activity, to determine if an attack has occurred or if one has been attempted typically requires sifting through huge amounts of data (gathered from the network. And unusual activity on a network or on the hosts belonging to a local network by monitoring network activity, incorrect, the goal of an intrusion detection system is to detect inappropriate.

In the case of denial-of-service attacks). One is often unable to prevent the attack from disrupting the system and over utilizing the system CPU (e.g, a problem with that approach is that even if intrusion activity is detected. Most work on signature and anomaly detection has relied on detecting intrusions at the level of the host processor.

A natural extension to this role would be to actually police the packets forwarded in each direction by examining packet headers and simply not forwarding suspicious packets. The primary role of NICs in computer systems is to move data between devices on the network. Too, as an alternative to relying on the host's CPU to detect intrusions there is growing interest in utilizing the NIC (network interface card) as part of this process.

Commercialized in 3Com's embedded firewall, actually, has been proposed and, and support for multi-tiered security levels, packet auditing, such as packet filtering, firewall functionality. The idea is to embed firewall-like security at the NIC level. Related to the work on NIC-based intrusion detection systems is the use of NICs for firewall security. Recently there has been a fair amount of activity in the area of NIC-based computing.

Rationale

The rationale for coupling NIC-based intrusion detection with conventional host-based intrusion detection is based on the following points:

This makes it virtually impossible to bypass or to tamper with (as compared with software-based systems that rely on the host operating system). Which has its own processor and memory, * Functions such as signature- and anomaly-based packet classification can be performed on the NIC.

A NIC-based strategy will not be affected by the load on the host. Thereby adversely affecting the bandwidth available for network transmissions, then an intrusion detection system that relies on host processing may be slowed down, * If the host is loaded with other programs running simultaneously (with the intrusion detection software).

Thus effectively distributing the work load, each individual NIC can handle the in-bound and out-bound traffic of the particular processor/local area network it is connected with. This is not the case with NIC-based intrusion detection, * With centralized intrusion detection systems one encounters a problem associated with scalability -- however.

* NIC-based strategies provide better coverage and functional separation since internal NICs can detect portscans while NICs at the firewall can detect host-scans.

Making the detection process adaptive, the host-based intrusion detection system can download new rules/signatures into the NIC on the fly. And can work in conjunction with existing host-based intrusion detection systems, dynamically adaptive, * The NIC-based scheme is flexible.

The Challenge

The challenge becomes how best to use the NIC's processing capabilities for intrusion detection, so. Non-intrusive messages, there is also a need to limit the impact on bandwidth and latency for normal. Algorithms implemented for the NIC are forced to resort to estimates based on fixed-point operations, as a result. NICs typically are not capable of performing floating point operations, for example. The task of implementing algorithms on the NIC presents several new challenges. The current disadvantage to NIC-based intrusion detection is that processing capability on the NIC is much slower and the memory sub-system is much smaller when compared with the host.

IDS Algorithms

Thus generating false alarms, but not necessarily hostile, it can only signal that some event is unusual. It has the drawback of not being able to discern intent, though anomaly detection can detect novel attacks. But has the obvious disadvantage of not being able to detect new attacks, signature detection works reliably on known attacks. That looks for deviations from normal behavior, and anomaly detection, where one looks for patterns that signal well-known attacks, there are two general approaches to the problem of intrusion detection: signature detection (also known as misuse detection).

Another disadvantage is that minor variations in attack methods can often defeat such systems. The rule set must be manually updated, a limitation of these systems is that as new vulnerabilities or attacks are discovered. These systems use a set of rules encoding knowledge gleaned from security experts to test files or network traffic for patterns known to occur in attacks. And in network based systems such as SNORT and BRO, such as virus detectors, they are used in both host based systems. Signature detection methods are better understood and widely applied.

That the program makes sequences of system calls that differ from the sequences found under normal operation, using a buffer overflow to open a root shell), researchers found that when a vulnerable UNIX system program or server is attacked (for example. False alarms are inevitable, because we cannot predict all possible non-hostile behavior. Much of the research in anomaly detection uses the approach of modeling normal behavior from a (presumably) attack-free training set. A distinct model of normalcy can be learned individually, since what is considered normal could vary across different environments. One attempts to find rules that characterize normal behavior, rather than finding rules that characterize attacks. What is considered normal is more abstract and ambiguous, anomaly detection is a harder problem than signature detection because while signatures of attacks can be very precise.

Most researchers have realized that the two models must work hand-in-hand to be most effective, while most research in intrusion detection has focused on either signature detection or anomaly detection. And does not vary with time, where the probability of an event depends on its average rate during training, most current anomaly detectors use a stationary model. But would not detect attacks of the type where the exploit code is transmitted to a public server in the application payload, models built with these features could detect probes (such as port scans) and some denial of service (DOS) attacks on the TCP/IP stack. And TCP flags, iP addresses, such as port numbers, and SPADE model only features of the network and transport layer, aDAM , current network anomaly detection systems such as NIDES .

Results

With those projected systems one can anticipate that NIC-based intrusion detection will do better both from a quantitative standpoint and from a a qualitative standpoint (as less restrictive and more robust algorithms may be employed). From a technology perspective we are not far away from 1GHz NIC processors (with appropriately larger memory), however. It is preferable to sacrifice only the NIC to the attack rather than the entire host machine. The host would be spared from it, if the NIC were to become overwhelmed by a such an attack. It can begin dropping the packets as this may be indicative of a denial-of-service attack, if the NIC cannot catch up with the rate the packets are arriving. The NIC acts as a basic shield for the host, in effect. Never reaches the host operating system, if caught, the benefit of having the NIC do the policing is that it can actually prevent network-based intrusions from wrecking havoc on host systems -- since the intrusive packet. Thus on heavily loaded hosts admissible network traffic proceeds at a consistent rate provided the computational and memory resources of the NIC are not stretched. The quantitative improvements that were observed for NIC-based IDS when tested against Host-based IDS can be attributed to the fact the operating system of the host does not have to be interrupted with the detection process.

Final Comments

Further reducing the threat of security breaches from people on the internal network, the PCI635 can also be configured to prevent desktop users from tampering with security settings. That protect individual servers and desktops from internal and external threats, such as virtual private network and firewall and intrusion detection, the card allows deployment of advanced network security functions. An embedded firewall network card that fits into standard peripheral slots in PC desktops and servers, announced the availability of the SnapGear PCI635. Last year CyberGuard Corp.

The intrusion detection system (IDS) is based on Snort and increases security by identifying known security attacks. Compromising the computer and potentially the internal network, this is important since software-based security solutions can be rendered useless if the OS is exploited. The PCI635 makes the desktop system immune to Windows vulnerability exploits, because this is a NIC-based firewall/VPN/IDS device that is independent of the host.