Scribd
Upload
66 views30 pages

Packet and Flow Based IDS

The document discusses the challenges and classifications of Network Intrusion Detection Systems (NIDS), focusing on packet-based and flow-based approaches. Packet-based NIDS capture all network packets but struggle with high-speed networks and encrypted payloads, while flow-based NIDS analyze network flow statistics, making them suitable for detecting various attacks like DoS, scans, worms, and botnets. It also highlights specific tools for both types of intrusion detection, such as Berkeley Packet Filter for packet-based and Cisco NetFlow for flow-based systems.

Uploaded by

anubhutipandey028
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views30 pages

Packet and Flow Based IDS

The document discusses the challenges and classifications of Network Intrusion Detection Systems (NIDS), focusing on packet-based and flow-based approaches. Packet-based NIDS capture all network packets but struggle with high-speed networks and encrypted payloads, while flow-based NIDS analyze network flow statistics, making them suitable for detecting various attacks like DoS, scans, worms, and botnets. It also highlights specific tools for both types of intrusion detection, such as Berkeley Packet Filter for packet-based and Cisco NetFlow for flow-based systems.

Uploaded by

anubhutipandey028
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Packet and Flow based IDS

Network Flow
• Internet traffic, as well as line speed continues to
grow.
• Network Intrusion Detection Systems should be
able to handle the growing number of attacks,
the growth in Internet traffic as well as the
increase in line speed.
• Well known systems like Snort and Bro exhibit
high resource consumption when confronted
with the overwhelming amount of data found in
today’s high-speed networks
• The spread of encrypted protocols poses a
new challenge to payload-based systems.
Classification of IDS
Packet-based NIDS
• Here, all network packets passing a certain observation
point such as a router are captured without any loss of
information.
• Also known as “Deep Packet Inspection” (DPI)
• A combination of header and payload scan determines
whether a packet is an intrusion or not.
• Is realized by making use of software such as tcpdump
• Packets capturing and analysis can take place at
different locations such as routers, switches, and
network monitors form which the resulting
measurement data is transported to a remote
analysis
• Drop of packets will occur if the NIDSs speed is
not high enough to let the analysis process be
done
• Packet-based scheme are very time consuming,
therefore should not utilized in high-speed links
• Signature matching is impossible for most cases
of encrypted payload, degrading the detection
performance of NIDSs.
Flow based NIDS
• Network flows don’t provide any packet
payload unlike packet-based approach.
• It rather relies on information and statistics of
network flows, therefore flow-based NIDSs
also called “network behavior
• A flow can be defined as a unidirectional data
stream between two computer systems where
all transmitted packets of this stream share
the following characteristics:
– IP source and destination address
– source and destination port number
– The number of packets and amount of bytes
transferred in a flow
– The start and end time of a flow (in millisecond)
• Any attack that only injected in payload will
not be identified in flow-based method

IP Flow exporting and collecting
architecture
• The metering process involves creating flow
records from observed traffic.
• Each packet header is marked with the
timestamp when captured.
• Sampling lowers the demands put on the flow
exporter.
• Each incoming packet header triggers an
update to a flow entry in the flow cache.
• Once a flow record is expired, it is sent to the
flow collector.
• A flow is considered expired when:
– the flow was idle for a longer time than a given
threshold
– the flow reaches the maximum allowed lifetime
– the FIN or RST flags have been seen in a TCP flow.
– the flow-cache memory gets full
• The aim of the flow collector is to retrieve the
flows created by the flow exporter and to
store them in a form suitable for further
monitoring or analysis.
Flow-based intrusion detection
• Flow-based intrusion detection provides
approaches to detect the following classes of
attacks:
– Denial of Service
– Scans
– Worms
– Botnets
Denial of Service
• Anomaly-based DoS detection in high-speed
network scan be done using flow information
only
– aggregate flow measures collected in a data
structures, named sketch.
– A sketch is an one-dimensional hash table suitable for
fast storing of information, mainly counts occurrences
of an event.
– Sketches permit to statistically characterize how the
traffic varies over time, simply by tracking the
presence of a flow in a specified time frame.
• A simple example of the use of sketches in DoS attacks
is the detection of SYN Flooding attack:
– An anomaly-based engine triggers alarms based
on a forecast value of the measure the system is supposed
to monitor: a sharp variation from the mean is flagged as
an anomaly.
– the sketch stores,for each time frame and each tuple
(dest_IP, dest_port), the difference between the number
of SYN packets and the number of SYN/ACKs.
– If the stored value for the current time deviates from the
expected one, a DoS SYN Flooding attack is detected.
Scans
• Scans are usually characterized by small packets
that probe the target systems
• Scanning a source shows an unnaturally high
number of outgoing connections.

• There are three categories of scans:


– Horizontal scan: a host scanning a specific port on
many destination hosts
– Vertical scan: a host scanning several ports on a single
destination host
– Block scan: a combination of both
• It looks at host behavior from an
incoming/outgoing connection
• It allows addressing DoS and scan attacks by
analysing hosts with an inadequate and
unusual fan-in/out.
Worms
• Worm behavior is usually divided into:
– target discovery phase
– transfer phase
• Flow-based detection systems usually focus on the target
discovery phase.
• It assigns hosts to a set of classes (characterize the host
behavior on the basis of incoming and outgoing connections).
– The Traffic class groups hosts that send more traffic than
what they receive.
– Hosts that show an unusual high number of outgoing
connections are part of the connector class.
– The hosts involved in many bidirectional connections
belong to the responder class.
• The method aims to periodically check the
status of the hosts of an entire network.
• In this way, it is able to detect worm spreads,
as they cause massive changes in the
cardinality of one or more classes.
Botnets
• Botnets consist of infected hosts (bots) controlled by a
central entity, known as master.
• Many Botnets used to rely on IRC channels, which can
be identified at flow level
• The reports of malicious activity obtained from diverse
sources (scan logs, spam logs, and viruses), the groups
of flows involved in suspicious communications can be
identified
• The candidate conversation is checked against the flow
model.
• Once the controllers have been identified, then
the suspected bots are grouped into behavioral
groups (clusters of bots that show the same
activity pattern)
• A hierarchical clustering procedure groups the
hosts based on their port activities.
• In the case of Botnets, only long time
observations can lead to the identification of the
bots and controller.
Packet-based Intrusion Detection Tools
• Berkeley Packet Filter (BPF)
– provides a raw interface down to the data link
layer and can receive and generate new frames
– often used in conjunction with libpcap
– defines its own filtering language
– works very resource effective as data filtered out
is not transferred from the kernel space to user
space.
Flow-based Intrusion Detection Tools
• Cisco NetFlow
– NetFlow records can contain information up to the
transport layer in the form of set TCP flags
– Has the ability to include parts of the payload into
the records
– many attacks can be reliably detected by only
looking at the first few bytes of the payload.
Flow record fields of Cisco NetFlow

You might also like