Operational Experiences With High-Volume Network Intrusion Detection

Size: px

Start display at page:

Download "Operational Experiences With High-Volume Network Intrusion Detection"

Christopher Richards
6 years ago
Views:

1 Operational Experiences With High-Volume Network Intrusion Detection Holger Dreger 1 Anja Feldmann 1 Vern Paxson 2 Robin Sommer 1 1 TU München Germany 2 ICSI / LBNL Berkeley, CA, USA ACM Computer and Communications Security 2004 Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

2 Network Intrusion Detection in High-Volume Networks Experience with open-source NIDSs in Gbps environments: Snort dropped lots of packets CPU load too high Bro additionally consumed all memory stores too much state Questions Key factors in terms of resource usage? Ways to reduce resource consumption? Impact on detection rate? No answers available Researchers often lack access to high-volume environments Commercial vendors keep their techniques private Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

3 Outline 1 Environments 2 Operational Experiences 3 Extensions to the NIDS 4 Trade-Off: Detection Rate vs. Resource Usage Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

4 Environments Operational environments Munich Scientific Network University of California, Berkeley Lawrence Berkeley National Laboratory Main research environment: Munich Scientific Network Two major universities and several research institutes Gbps Internet uplink transferring 1-2 TB each day 50,000 hosts; 65,000 users Monitor: Dual Athlon 1800+, FreeBSD Traces augment our study to demonstrate challenges Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

5 Bro NIDS Powerful open-source NIDS Research project started in 1995 Supports different approaches to intrusion detection Focuses on Semantically high-level analysis Efficiency Extensibility Resistance to evasion Separation of mechanism and policy Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

6 Outline 1 Environments 2 Operational Experiences Memory Consumption CPU Consumption 3 Extensions to the NIDS 4 Trade-Off: Detection Rate vs. Resource Usage Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

7 Memory Consumption Stateful NIDS maintains representation of network s state The more it knows about the network the more it can detect Connection state Instantiated when connection starts Removed when connection ends User state NIDS may provide scripting language for customizations Data structures store state (e.g., arrays) User is responsible to delete state eventually Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

8 Running Out Of Memory: Connection State #connections/min Crash #connections in memory 0e+00 2e+05 4e+05 6e+05 all connections SYN seen established or half closed Crash Fri 18:00 Sat 6:00 Sat 18:00 Sun 6:00 Sun 18:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

9 Running Out Of Memory: Connection State #connections/min Crash #connections in memory 0e+00 2e+05 4e+05 6e+05 all connections Crash Fri 18:00 Sat 6:00 Sat 18:00 Sun 6:00 Sun 18:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

10 Running Out Of Memory: Connection State #connections/min Crash #connections in memory 0e+00 2e+05 4e+05 6e+05 all connections SYN seen Crash Fri 18:00 Sat 6:00 Sat 18:00 Sun 6:00 Sun 18:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

11 Running Out Of Memory: Connection State #connections/min #connections in memory e+00 2e+05 4e+05 6e+05 all connections SYN seen established or half closed Fri 18:00 Sat 6:00 Sat 18:00 Sun 6:00 Sun 18:00 Crash Crash Observation Many established connections are not deleted Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

12 Running Out Of Memory: Connection State Avoiding evasion is design goal Only delete connection state when it is safe Problem Not feasible in high-volume environments Approaches to expire connection prematurely Limit number of connections in memory Limit total amount of connection state memory Limit connection life-time with inactivity time-outs Trade-Off Memory-consumption vs. detection rate Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

13 Running Out of Memory: User State Bro s scan detector is a user-level script #connections/min Crash State in MBytes total memory Crash Sat 0:00 Sun 0:00 Mon 0:00 Tue 0:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

14 Running Out of Memory: User State Bro s scan detector is a user-level script #connections/min Crash State in MBytes total memory Crash Sat 0:00 Sun 0:00 Mon 0:00 Tue 0:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

15 Running Out of Memory: User State Bro s scan detector is a user-level script #connections/min State in MBytes total memory user state memory Crash Crash Observation Much of the user state is not deleted Sat 0:00 Sun 0:00 Mon 0:00 Tue 0:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

16 Running Out of Memory: User State Avoiding evasion is design goal Detecting all scans requires remembering all connections Problem Again not feasible in high-volume environments Added mechanisms to expire user state Ease deleting state explicitly Allow deleting state implicitly via time-outs Adapted default scripts to make use of them Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

17 Outline 1 Environments 2 Operational Experiences Memory Consumption CPU Consumption 3 Extensions to the NIDS 4 Trade-Off: Detection Rate vs. Resource Usage Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

18 CPU Consumption When analysis exceeds available time packet drops occur Major reason: network load exceeds processing capacity Current commodity hardware cannot analyze every packet Need to find a tractable subset of traffic Problem: Internet traffic is very dynamic Long-term effects: time-of-day and day-of-week Short-term effects: traffic is multi-fractal Anomalies: worms, floods, misbehaving software Hard to predict time even for well-understood traffic Per-packet processing time varies widely Processing spikes triggered by individual packets Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

19 Fluctuating Processing Times Example: Running times for different depths of analysis Probability density Core packet loop Processing time per 10,000 packets (secs) Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

20 Fluctuating Processing Times Example: Running times for different depths of analysis Probability density Core packet loop Connection summaries Processing time per 10,000 packets (secs) Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

21 Fluctuating Processing Times Example: Running times for different depths of analysis Probability density Core packet loop Connection summaries Internal HTTP decoder Processing time per 10,000 packets (secs) Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

22 Fluctuating Processing Times Example: Running times for different depths of analysis Probability density Core packet loop Connection summaries Internal HTTP decoder Full HTTP analysis Processing time per 10,000 packets (secs) Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

23 Fluctuating Processing Times Example: Running times for different depths of analysis Probability density Core packet loop Connection summaries Internal HTTP decoder Full HTTP analysis Observation Per-packet time fluctuates a lot Consequence Hardly possible to predict worst-case Processing time per 10,000 packets (secs) Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

24 Processing Spikes Example: Spikes triggered by a single packet Secs per 10,000 packets Packet real time Wed 14:00 Wed 15:00 Wed 16:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

25 Processing Spikes Example: Spikes triggered by a single packet Secs per 10,000 packets Packet real time Packet processing time Wed 14:00 Wed 15:00 Wed 16:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

26 Processing Spikes Example: Spikes triggered by a single packet Secs per 10,000 packets Packet real time Packet processing time Spikes Hash table resizes Solution Distribute across many packets Wed 14:00 Wed 15:00 Wed 16:00 Time Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

27 Outline 1 Environments 2 Operational Experiences 3 Extensions to the NIDS 4 Trade-Off: Detection Rate vs. Resource Usage Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

28 High-Volume Extensions New time-outs Automatically expire internal and user state Connection compressor Defers instantiation of connection state Load-levels Adapt the NIDS s configuration to the current network load Measure load by either CPU usage or packet drops Flood-detector Excludes flood victim from analysis Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

29 Trade-Off: Detection Rate vs. Resource Usage Usual trade-off in computer science Time vs. memory Network Intrusion Detection Detection rate vs. resource usage Bro s design emphasizes detection High-volume environments require different trade-off Trade-off is policy decision left to the user Variant of Kerkhoff s principle avoids predictability Detection mechanisms are public Environment-specific parameterizations are private Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

30 Summary Network intrusion detection in high-volume environments Unusual trade-off between detection rate and resource usage Dynamic traffic makes it hard to find a stable point of operation Our work Thorough understanding of the trade-off Tuning mechanisms to successfully operate the system Outlook Deploying specialized monitoring hardware Refining measurement models Developing auto-configuration tool Adapting to still larger link capacities Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

31 Operational Experiences With High-Volume Network Intrusion Detection Holger Dreger 1 Anja Feldmann 1 Vern Paxson 2 Robin Sommer 1 1 TU München Germany 2 ICSI / LBNL Berkeley, CA, USA ACM Computer and Communications Security 2004 Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

32 Further Issues In High-Volume Networks Artifacts of the monitoring environment Limits imposed by commodity PC hardware Merging of multiple Gbps into one Router-side buffer overruns Optical-taps: uni-directional Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

33 Further Issues In High-Volume Networks Artifacts of the monitoring environment Limits imposed by commodity PC hardware Merging of multiple Gbps into one Router-side buffer overruns Optical-taps: uni-directional Programming deficiencies will be severely punished Expecting any sort of reasonable traffic is sure to fail Memory leaks are a major hassle Robin Sommer (TU München) High-Volume Network Intrusion Detection CCS / 19

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1, Robin Sommer 2,3, Jason Lee 2, Craig Leres 2 Vern Paxson 3,2, and Brian Tierney 2 1 TU München