direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Inhalt des Dokuments

Publications about the Time Machine

Operational Network Intrusion Detection: Resource-Analysis Tradeoffs
Citation key D-ONIDRAT-07
Author Dreger, Holger
Year 2007
School Technische Universität München, Munich, Germany
Abstract Network Intrusion Detection Systems (NIDS) span an area of massive research and commercial interest. Modern systems offer a wide range of capabilities and parameters to adapt the analysis to the needs of the operator. If one deploys a NIDS in a high volume network environment (1Gbps or more) however, one notices that some capabilities are not usable as the available resources (CPU cycles and memory) of the NIDS are not sufficient for such detailed analysis. In this thesis, we target a thorough understanding of the dependencies and tradeoffs between NIDS resource usage and detection capabilities. We base this work on our operational experience with NIDS in three large research network environments, among them the M¨unchener Wissenschaftsnetz (MWN), Germany. We demonstrate, that operational network intrusion detection in high-volume network environments raises a host of resource management issues. We explore tradeoffs between resource usage and analysis, that range from predictive to adaptive to retrospective. Predicting the resource usage of a NIDS is difficult. We set out to develop a performance model of a NIDS that allows to determine the appropriate analysis depth and parametrization of the system. The model can be used in two ways: First, to help determining a configuration of the NIDS based on the measured traffic characteristics of the network environment. Second, it can be used to predict the NIDS resource usage based on a known or guessed trend of the network traffic development. Connection oriented NIDS do not analyze every connection the same. However the decision process of how to analyze a connection is rather hard-configured into the NIDS. This means, at run-time the NIDS cannot adapt the analysis per connection. We develop a framework for connection oriented NIDS to decide at run-time per connection what analysis to perform. We use this framework for dynamically performing the appropriate application layer protocol decoding. Using this enhancement, a NIDS is for example able to reliably detect applications not using their standard ports, do payload inspection of FTP data connections and to reliably detect IRC based botnet clients and servers. If a NIDS alerts in high volume environments, it does not have the possibility to provide a lot of context to the operator. For trading off disk space against forensic capability, we develop a NIDS-supplementary tool called Time Machine. The tool records a prioritized yet comprehensive packet trace in high level environments. Our approach leverages the heavy tailed connection size distribution: it prioritizes small connections over large ones which greatly reduces the volume of traffic to record while retaining the largest fraction of the connections transferred. For our operational evaluation of the tradeoffs and the developed mechanisms, throughout this thesis, we use the open source NIDS Bro. Its design is targeted to maximum flexibility, which makes it an ideal platform for powerful extensions and for use in a wide range of experiments.
Bibtex Type of Publication Doktorarbeit
Link to publication Download Bibtex entry

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe

Auxiliary Functions