the nids cluster scalable stateful network intrusion
play

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on - PowerPoint PPT Presentation

Jun 09, 2023 •146 likes •409 views

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

  1. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU München 2 Lawrence Berkeley National Laboratory 3 International Computer Science Institute

  2. Motivation • NIDSs have reached their limits on commodity hardware • Keep needing to do more analysis on more data at higher speeds • However, CPU performance is not growing anymore the way it used to • Single NIDS instance (e.g., Snort, Bro) cannot cope with Gbps links • To overcome, we must either • Restrict the amount of analysis, or • Turn to expensive, custom hardware, or • Employ some form of load-balancing to split analysis across multiple machines • We do load-balancing with the “ NIDS Cluster” • Use many boxes instead of one • Every box works on a slice of traffic • Correlate analysis to create the impression of a single system Recent Advances in Intrusion Detection 2007 2

  3. Correlation is Tricky ... • Most NIDS provide support for multi-system setups • However, instances tend to work independent • Central manager collects alerts of independent NIDS instances • Aggregates results instead of correlating analysis • NIDS cluster works transparently like a single NIDS • Gives same results as single NIDS would if it could analyze all traffic • Does not sacrifice detection accuracy • Is scalable to large number of nodes • Still provides a single system as the user interface (logging, configuration updates) Recent Advances in Intrusion Detection 2007 3

  4. Architecture Tap Gbps Internet Local Gbps Tap NIDS Cluster Recent Advances in Intrusion Detection 2007 4

  5. Architecture Tap Gbps Internet Local Gbps Tap NIDS Cluster Frontend Frontend Recent Advances in Intrusion Detection 2007 4

  6. Architecture Tap Gbps Internet Local Gbps Tap NIDS Cluster Frontend Frontend Backend Backend Backend Backend Backend Backend Backend Backend Backend Backend Backend Backend Recent Advances in Intrusion Detection 2007 4

  7. Architecture Tap Gbps Internet Local Gbps Tap NIDS Cluster Frontend Frontend Backend Backend Backend Backend Backend Backend Proxy Proxy Backend Backend Backend Backend Backend Backend Recent Advances in Intrusion Detection 2007 4

  8. Architecture Tap Gbps Internet Local Gbps Tap NIDS Cluster Frontend Frontend Manager Backend Backend Backend Backend Backend Backend Proxy Proxy Backend Backend Backend Backend Backend Backend Recent Advances in Intrusion Detection 2007 4

  9. Environments • Initial target environment: Lawrence Berkeley National Laboratory • LBNL monitors 10 Gbps upstream link with the Bro NIDS • Setup evolved into many boxes running Bro independently for sub-tasks • Cluster prototype now running at LBNL with 1 frontend & 10 backends • Further prototypes • University of California, Berkeley 2 x 1 Gbps uplink, 2 frontends / 6 backends for 50% of the traffic • Ohio State University 450 Mbps uplink, 1 frontend / 2 backends (10 planned) • IEEE Supercomputing Conference 2007 Conference’s 1 Gbps backbone / 10 Gbps “High Speed Bandwidth Challenge” network • Goal: Replace operational security monitoring Recent Advances in Intrusion Detection 2007 5

  10. Challenges Main challenges when building the NIDS Cluster Distributing the traffic evenly while minimizing need for communication 1. Adapting the NIDS operation on the backend to correlate analysis with peers 2. Validating that the cluster produces sound results 3. Recent Advances in Intrusion Detection 2007 6

  11. Distributing Load Recent Advances in Intrusion Detection 2007 7

  12. Distribution Schemes • Frontends need to pick a backend as destination • Option 1: Route packets individually • Simple example: round-robin • Too expensive due to communication overhead (NIDS keep per-flow state) • Option 2: Flow-based schemes • Send all packets belonging to the same flow to the same backend • Needs communication only for inter-flow analysis • Simple approach: hashing flow identifiers • E.g., md5(src-addr + src-port + dst-addr + dst-port) mod n • Hashing is state-less, which reduces complexity and increases robustness • But how well does hashing distribute the load? Recent Advances in Intrusion Detection 2007 8

  13. Simulation of Hashing Schemes !"#$%&'((")"$*"+%,+-%","$%&'+.)'/0.'1$%234 85 =&6 ! < />( ! <%277%$1&"+4 md5 />( ! < =&6 ! 8 76 75 6 5 !1$%75955 !1$%7:955 !1$%88955 ;0"%<955 1 day of UC Berkeley campus TCP traffic (231M connections), n = 10 Recent Advances in Intrusion Detection 2007 9

  14. Simulation of Hashing Schemes !"#$%&'((")"$*"+%,+-%","$%&'+.)'/0.'1$%234 85 =&6 ! < />( ! <%277%$1&"+4 md5 md5-addr />( ! < =&6 ! 8 76 75 6 5 !1$%75955 !1$%7:955 !1$%88955 ;0"%<955 1 day of UC Berkeley campus TCP traffic (231M connections), n = 10 Recent Advances in Intrusion Detection 2007 9

  15. Cluster Frontends • We chose the address-based hash • Ports not always available (e.g., ICMP , fragments) & more complex to extract • Even with perfect distribution, load is hard to predict • Frontends rewrite MAC addresses according to hash • Two alternative frontend implementations • In software with Click (SHA1) • In hardware with a prototype of Force-10’s P10 appliance (XOR) Recent Advances in Intrusion Detection 2007 10

  16. Adapting the NIDS Recent Advances in Intrusion Detection 2007 11

  17. Cluster Backends • On the backends, we run the Bro NIDS • Bro is the NIDS used in our primary target environment LBNL • Bro already provides extensive, low-level communication facilities • Bro consists of two layers • Core: Low-level, high-performance protocol analysis • Event-engine: Executes scripts which implement the detection analysis • Observation: Core keeps only per-flow state • No need for correlation across backends • Event-engine does all inter-flow analysis • The scripts needs to be adapted to the cluster setting Recent Advances in Intrusion Detection 2007 12

  18. Adapting the Scripts ... • Script language provides primitives to share state • Almost all state is kept in tables, which can easily be synchronized across peers • Main task was identifying state related to inter-flow analysis • A bit cumbersome with 20K+ lines of script code ... • Actually it was a bit more tricky ... • Some programming idioms do not work well in the cluster setting and needed to be fixed • Some trade-offs between gain & overhead exists are hard to assess • Bro’s “loose synchronisation” introduces inconsistencies (which can be mitigated) • Many changes to scripts and few to the core • Will be part of the next Bro release Recent Advances in Intrusion Detection 2007 13

  19. Validating the Cluster Recent Advances in Intrusion Detection 2007 14

  20. Accuracy • Goal: Cluster produces same result as a single system • Compared the results of cluster vs. stand-alone setup • Captured a 2 hour trace at LBNL’s uplink (~97GB, 134M pkts, 1.5 M host pairs) • Splitted the trace into slices and copied them to the cluster nodes • Setup the cluster to examine the slices just as if it would process live traffic • Compared output of the manager with the output of a single Bro instance on the trace • Found excellent match for the alarms & logs • Cluster reported all 2661 alarms of the singe instance as well • Slight differences in timing & context due to latency and synchronization semantics • Some artifacts of the off-line measurement setup Recent Advances in Intrusion Detection 2007 15

  21. CPU Load per Node node0 node1 15 node2 node3 node4 node5 node6 node7 node8 Probability density node9 10 5 0 0.0 0.1 0.2 0.3 0.4 0.5 CPU utilization 10 backends, ext. LBNL config, 2hr full trace, (~97GB, 134M pkts) Recent Advances in Intrusion Detection 2007 16

  22. Scaling of CPU 10 nodes 5 nodes 25 3 nodes 20 Probability density 15 10 5 0 0.0 0.1 0.2 0.3 0.4 0.5 CPU utilization ext. LBNL config, 2hr full trace, (~97GB, 134M pkts) Recent Advances in Intrusion Detection 2007 17

  23. Load on Berkeley Campus 70 Backend 0 Backend 2 Backend 4 Proxy 0 Manager Backend 1 Backend 3 Backend 5 Proxy 1 60 50 40 CPU load (%) 30 20 10 0 Tue 12:00 Tue 18:00 Wed 0:00 Wed 6:00 Wed 12:00 Wed 18:00 Thu 0:00 Thu 6:00 With 1 frontend = 50% of the total traffic Recent Advances in Intrusion Detection 2007 18

  24. Conclusion & Outlook • Cluster monitors Gbps networks on commodity hardware • Provides high-performance, stateful network intrusion detection • Correlates analysis across its nodes rather than just aggregating results • When building the cluster we • Examined different load distribution schemes • Adapted an open-source NIDS to the cluster setting • Evaluated correctness & performance in a real-world setting • Challenge was to build something which works • Less to lead into fundamentally new research directions • Now in the process of making it production quality • We will soon release the Cluster Shell • An interactive shell running on the manager Recent Advances in Intrusion Detection 2007 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI Roadmap Why consider stateful networks? The current state of stateful network verification?

1.31k views • 80 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides
The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org UC Computing Services Conference 2007 Outline Design of the Bro NIDS Philosophy Architecture

1.14k views • 39 slides
Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection

Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection

ANCS 2007, 3-4-December 2007 Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection system s Michele Colajanni, Daniele Gozzi and Mirco Marchetti Department of Information Engineering University of

398 views • 16 slides
Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form

Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form

Cluster Computing Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form HPs Dr. Bruce J. Walker) Cluster Computing High Performance Clusters Beowulf; 1000 nodes; parallel programs; MPI

1.19k views • 84 slides
Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form

Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form

Cluster Computing Simplest Scalable Architecture NOW Network Of Workstations Many types of Clusters (form HPs Dr. Bruce J. Walker) Cluster Computing High Performance Clusters Beowulf; 1000 nodes; parallel programs; MPI

655 views • 47 slides
Cluster-Based Scalable Scalability Linear increase in hardware to handle load Network

Cluster-Based Scalable Scalability Linear increase in hardware to handle load Network

Advantages of Clusters Cluster-Based Scalable Scalability Linear increase in hardware to handle load Network Services Adding resources easy for clusters Availability 24 x 7 service, despite transient hardware or software errors

88 views • 4 slides
Perceus A Cluster Provisioning and Management Toolkit Bill Strossman Bill Strossman What

Perceus A Cluster Provisioning and Management Toolkit Bill Strossman Bill Strossman What

Perceus A Cluster Provisioning and Management Toolkit Bill Strossman Bill Strossman What Perceus Is An open source cluster toolkit for provisioning and managing stateless or stateful clusters Highly scalable Highly flexible and

169 views • 14 slides
Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory &amp; International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at

922 views • 49 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso, Rafael M. Gasca, Laurent Lefevre &lt;pneira@us.es&gt;, &lt;gasca@us.es&gt;, &lt;lefevre@inria.fr&gt; Quivir Research Group, University of Sevilla,

1.07k views • 17 slides
Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * , Jihyung Lee , Sangwoo Moon , InsuYun * , Deokjin Kim , Sungryoul Lee , Yung Yi , KyoungSoo Park * * Networked &amp; Distributed

776 views • 41 slides
How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an

671 views • 37 slides
Stateful Chained Network Functions Junaid Khalid W,G and Aditya Akella W 1 *This work does not

Stateful Chained Network Functions Junaid Khalid W,G and Aditya Akella W 1 *This work does not

Correctness and Performance for Stateful Chained Network Functions Junaid Khalid W,G and Aditya Akella W 1 *This work does not have any affiliation with Google Network Function Virtualization (NFV) Hardware NF software NF over commodity

1.76k views • 120 slides
How to build scalable, reliable and stable Kubernetes cluster atop OpenStack Bo Wang

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack Bo Wang

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack Bo Wang bo.wang@easystack.cn HouMing Wang houming.wang@easystack.cn Cluster resources management Cluster data persistence Contents Integrate

378 views • 18 slides
Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is:

Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is:

Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is: Text story Widely used to discover and record (mostly functional) requirements What is it about: Some actor(s) using a system to meet

431 views • 30 slides
Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step:

Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step:

TD learning Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step: The expected total Return from S on is: R(S) = r + V(S) For two steps: TD() n-step return at time t: Using a trajectory of

679 views • 32 slides
Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark

Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark

CSE 306: Opera.ng Systems Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark CSE 306: Opera.ng Systems So what is an OS? 2-2 CSE 306: Opera.ng Systems One view of an OS 2-3 CSE 306: Opera.ng

1.88k views • 55 slides
One year after: What are the implications of the new ESC/EAS LDL-c Guidelines for PCSK9i? Prof.

One year after: What are the implications of the new ESC/EAS LDL-c Guidelines for PCSK9i? Prof.

EBAC Accredited symposium during Digital ESC 2020 PCSK9i &amp; LDL-c: Guidelines, Practice &amp; Innovation: Review of facts and opportunities ESC virtual congress, August, 2020 One year after: What are the implications of the new ESC/EAS LDL-c

709 views • 23 slides
Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi Meier Chinese Academy of Sciences FHNW,Switzerland 02-05-2018 Bin Zhang , Chao Xu and Willi Meier ( Chinese Academy

596 views • 48 slides
PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint

PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint

PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint work with Yoram Singer at the Hebrew University of Jerusalem Problem Machine Prediction Users Rating Ranking 3 3 0 3 1 Loss Ranking

596 views • 41 slides
MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd &lt;simon.mudd@booking.com&gt; Percona Live Europe Amsterdam 5 th October 2016 Content What is MySQL X protocol How does it work Building Drivers

793 views • 60 slides
Public comments Application driven programs Programmatic design Local government

Public comments Application driven programs Programmatic design Local government

Public comments Application driven programs Programmatic design Local government input Informational workshops Media outreach Homeowners Assistance Outreach Billboards, rolling buses, TV/radio/print, grassroots

442 views • 13 slides

More recommend