Design and Development of a Hardware Based Network Instrusion Prevention System (IPS)
1. Project Overview
Proposal summary: This project is funded by Department of Information Technology, Ministry of Communications and Information Technology, Government of India. The project duration is 18 months starting from Feb. 2008 onwards.
Objective: To carryout research in intrusion prevention & content analysis to design and develop high-performance hardware based network intrusion prevention system.
Proposal Overview
In this proposal we aim to carry out research in intrusion & content analysis and to build hardware based network IPS that has capabilities of capturing packets at wire-speed, multi-method detection to confirm attacks, specific algorithms for hardware based pattern-match and content analysis.
Why IPS?
IPS shall work in-line mode, analyzing packets at wire speed to take preventive measures after validating attacks by carrying out multi-method attack detection. IPS has other advantages such as, one, it does not expect human-interaction to take preventive measures for well proven attacks, two that it can operate at line-speed, three, that it can be suffixed with analysis capabilities of IDS at back-end and fourth ease deployment.
2. Prior Art
As a part of DIT, MCIT, Govt. of India funded initiatives since 2003 the team has been developing solutions related to of Intrusion detection, analysis and response mechanisms. As a result of this the team has developed N@G (Network at Guard) an indigenous C-DAC Intrusion Detection System which is being used by various agencies and the source code of N@G’s base component is available in the open-source at http://trinetra.ncb.ernet.in/~nag
Citation: N@G was listed amongst the contemporary Intrusion Detection System in a recent (March 2009) survey article in Elsevier’s Computers & Security Journal given below:
Anomaly-based network intrusion detection: Techniques, systems and challenges
Pages 18-28, P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, E. Vázquez
3. Overall strategy
- Analysis to be carried for hardware based pattern-matching algorithms, robust memory management, protocol decoding and research into content analysis to be carried out.
- Creation of IPS specific signatures
- Design and Development of multi-method attack detection techniques
- Flow based IDS
- Integration of various hardware modules and integration with software analysis modules
- Testing: Lab as well as at the field
4. Expected outcome
- Efficient packet capturing hardware module
- Hardware based protocol decoder
- Robust memory management scheme for IPS.
- Storage mechanism of Signature repository for faster retrieval and access.
- Efficient signature detection engine with IPS specific signatures
- A communication protocol between the appliance and N@G server.
- A fast content matching algorithm implementation on a hardware platform
- Hardware based Intrusion Prevention System
5. Current Status
As a part of this on-going work the team has developed the following solutions that are being tested for various conditions.
5.1 Guard Your Network
GYN (Guard Your Network) GYN is Intrusion Prevention System(IPS) being developed as a part of this project. GYN captures packet in the in-line mode at wire speed, carryout multi-method detection using several signature and anomaly detection mechanisms and will be capable of taking preventive action of any critical attacks detected. Currently GYN is available as Software in-line IPS (with IDS mode) and work in under progress to develop the NetFPGA based Hardware GYN.
IPS components
5.2 Adrisya
C-DAC's Adrisya (Anomaly Detector and Traffic Information System) is web based traffic monitoring and anomaly detection tool. It uses flow data, which can be imported from network devices like routers and switches, suitable for carrying out high-speed network traffic monitoring and analysis. Alternately, adrisya provides flow probes to capture traffic flows and carryout traffic analysis and presents the results using web interface.
Flow Analyzer
5.3 Salient Features
- Signature Protections
- Server Crack protection
- Reconnaissance Detection
- Stateful Inspection
- Traffic Anomaly Detection
- Flow Detection
- Worms
- Access control
- Alerting
- Management
- Comprehensive Threat Protection
- Maximum Through put (1Gbps)
- Latencies (250 micro Sec)
- Sessions (10, 00, 000)
- Operation mode (In-line and passive sniffer)
6. International Publications
-
RUDRAA:intRUsion Detection pRevention signAture formulAtion
By Sachin Narayanan, Mohammed Misbahuddin, Bishwa Ranjan Ghosh, ACM sponsered : "International Conference on computing communications & control (ICAC3 09)
Analysis of TCP flow data for traffic anomaly and scan detection By Muraleedharan N
Poster paper - 16 th IEEE International Conference on Networks (ICON -2008 )
held during 12 - 14 December 2008, in New Delhi
Grid Security Challenges: Experiences and proposed framework for mitigation
By Subramanian N, Praveen D Ampatt, Shahid Shamsuddeen, Badiuzzaman L.
Published in FIRST 2008 international conference: Hayatt Regency Vancouver, British Columbia, Canada held on June 22-27, 2008.
- Threat-Aware Signature based Intrusion Detection System By Subramanian N and Shrisha Rao (IIIT, Bengaluru)
IEEE-ICIMP 2008
- Threat-Aware Anomaly based Intrusion Detection System By Subramanian N and Shrisha Rao (IIIT, Bengaluru)
ICDCN 2009, Springer Verlag
An Approach to Alert Correlation using Comprehensive Alert Profiling
By Pramod S. Pawar, Rajiv Ranjan, Prasad J. Pandit, Ram Kumar G., Jetty Chaitanya, Nihar S. Khedekar, Abhishek Kumar Singh, Sandeep Yadav
International Conference on E-Security
Computer Society Of India, Vishakhapatnam, 24th - 26th February 2006
-
Development of a Comprehensive Intrusion Detection System - Challenges and Approaches
By N. Subramanian, Pramod S. Pawar, Mayank Bhatnagar, Nihar S. Khedekar, Srinivas Guntupalli, N. Satyanarayana, V.K. Vijaykumar, Praveen D. Ampatt, Rajiv Ranjan and Prasad J. Pandit
1st International Conference on Information Systems Security (ICISS 2005)
Kolkata,India, 19-21 December 2005