110 likes | 278 Views
Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links. Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute
E N D
Design and Implementation of Security Gateway Systemfor Intrusion Detection on High-speed Links Byoung-Koo Kim, Ik-Kyun Kim, Jong-kook Lee, Ki-Young Kim and Jong-Soo Jang Security Gateway System Team Electronics and Telecommunications Research Institute 161 Gajeong-Dong, Yuseong-Gu, Daejeon, 305-350, KOREATel: +82-42-860-4888, Fax: +82-42-860-5611E-mail: {kbg63228, ikkim21, ljk63466, kykim, jsjang}@etri.re.kr
Introduction • Overview of NSCS Environment CPCS CPCS CPCS SGS SGS SGS SGS SGS • CPCS : Cyber Patrol Control System • SGS : Security Gateway System
HAB(High-Analyzer Block) SMB(System Management Block) Viewer AMB(Alert Management Block) PMB(Policy Management Block) COPS/IAP Server(Interface Block) CPCS COPS/IAP Client(Interface Block) CPAB(Cyber Patrol Agent Block) Inline Mode Operation IDAB(Intrusion Detection and Analyzing Block) PSAB(Packet Sensing and Analyzing Block) SGS Architecture of NSCS
Data Structure for Rule Rule Mirror Table Detailed SGS Architecture Local GUI SNMP Agent Response Manager Database Manager Local Alert Manager System Manager Local Policy Manager COPS / IAP Client Filesystem /Database Application Task IOCTL I/F Socket I/F Payload Pattern Matching Rule Manager IP defragmentation TCP reassembly Application decode Portscan detection Preprocessor IDAB : Kernel Module PCI Bus Preprocessor Filter Fixed Field Pattern Matching Flow Statistics Blocking Sensing Forwarding PSAB : FPGA Logic
Detection Rule Configuration TCP Group UDP Group ICMP Group IP Group Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Attack name Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Fixed Field Pattern Source IP Address Destination IP Address Source Port Destination Port TTL IP ID Fragbits TCP Flags Seq Ack Etc… Payload Pattern Data size Content Offset Depth Uricontent Etc… Alert Message Signature ID Etc… Detection related Fields 1:N matching Alert related Fields H/W Logic Rule Mirror Table Kernel Logic Rule Table
Detection Algorithm – H/W Kernel Preprocessing necessary? PP Flag=1 YES KERNEL LOGIC PP Filter Check NO PP Flag=0 PCI Bus Packet Monitor PP Flag= 1 Or FF Flag= 1 Packet Send NO YES FF Flag=0 FF Pattern Search NO FF Pattern Matching? FF Flag=1 YES • PP : Preprocessor • FF : Fixed Field
Detection Algorithm – Kernel Detection Algorithm PCI Bus Packet Decode Pre process PP Flag = 1 YES NO FPGA LOGIC Preprocessor Detection? FF Flag = 1 NO YES/NO YES YES Socket Interface Alert Send Payload Pattern Search NO CPAB Payload Pattern Matching? YES
SGS Prototype for NSCS • FPGA Logic(H/W) Functions • Wire-Speed Forwarding • 5-Tuple based Flow Classification • Statistics/Blocking/Sensing/Fixed Field Pattern Matching • Kernel Logic Functions • Linux kernel-2.4.2 based Kernel Module Programming • Payload Pattern Matching/Alert Generation
Conclusion & Future Work • Present the architecture of NSCS • Design the SGS of NSCS • Design the architecture of SGS • Design the ruleset configuration of SGS • Design the FPGA logic and kernel logic of SGS • Develop the prototype of SGS • Future Work • Improve the detection mechanism on high-speed links • Guarantee the secure transmission of messages among the prototype systems • Resolve the problem derived from the verification of implemented system