Tech paper on proposed future generation NIDS

["Ed Donegan" <Danceslikewhiteguy () hotmail com>]

Here is  proposal for future NIDS engines and functionality which I would be
interested in comments on.

System Modules (*) represents discreet proccessor box, interconnected to the
other CPUs

*WayBack Machine: High performance sniffer system buffers full packet data
on high I/O speed duplexed disk arrays. Data is aggregated from the network
taps and then written to disk. In the event of an atttack, traffic from the
affected nodes is grepped off disk and written to A forensic channel.

The Wayback machine aggregates network tap sniffer data and stores it in a
pools it on disk for five minutes while NIDS pre-processing occurs on the
data in real time. The entire network picture can be seen, so that some
attacks, such as distributed scans and web gateway or middle-ware based
system attacks become visible in their entirety. . The Wayback machine also
provides a storage buffer of the network data as other Wayback modules
perform NIDS preprocessing.

   HyperDrive: If a network attack is detected, data output to forensic
channel B can be accelerated to full I/O speed.
   ByPass: Do not pre-processed data, pass all data to load balancers.

*Discombobulator: This box unloads tunnels and checks for VPN/Crypto policy
compliance and then passes extracted data on to the other real time analysis
boxes.
    Security Dissasociator: Data is examined for telltale signs of
encryption such as recognized key exchange activity, certificates, exchanges
of security sociation tables, PGP keys, etc., Monitors the health and
propriety of encryption use in accordance with definable corporate
requirements. Checks for suspicious negotiation activity such as invalid or
bad server certificates.
      Tunnelor: Checks for propriety and health of tunnel oriented
activities. Checks or appropriate tunnel destination and ports based on user
definable criteria. Also checks for suspicious use of tunnels such as
multi-protocol tunnels (IP in IPX) or irregular data contained in ICMP or
UDP packets, or other incongruity in data  and packet types. May also watch
for non-VPN activity to devices which by policy require VPN or SSL Or SSL
activities on unusual services.
Networker: All modules report suspicious activities to the Conflugalizer.

*Networker: This box receives untunelled and tapped data for network
analysis.
    VLAN Debugger: Builds tables of VLAN ID' (802.1q and ISL) and IP
networks. Checks for consistency of IP network information. Also checks for
other signs of network trouble such as unexpected use or presence of CDP,
unusual or potentially malicious spanning tree activities, or router and
switch hacking attempts.
    NetChecker: Examines network infrastructure communications for attacks
against the network or network health problems that may arise from
compromised systems. Routing protocols, keyed/unkeyed OSPF/RIP/EIGRP
announcements and activities are watched for sudden topology changes or
bandwidth problems, malicious or accidental route injections, address space
irregulatities such as internal space "sourced" from the outside or vice
versa, suspicious ICMP or SNMP activity, etc.,
    Reassembler: performs network and TCP layer fragmentation reassembly.
Layer three reassembly Off/On/ and TCP reassembly Off/Unix/Windows/Learned
Host Detection. Suspicious use of fragmentation sent to the Conflugalizer
for possible alarm.
    PAD module. Identifies spoofing attempts designed to defeat firewall
rules by hackes. Runs directional checks on source address space and MACs at
key network sensor locations such as ingress and egress points of network,
data center, DMZs, and critical IP networks. By referencing internal source
space with source MAC addresses of acceptable router ports for the space to
be sourced from, the PAD module provides important detection of common IP
spoofing attacks. Address space coming from invalid network locations is
alarmed on.

*LASER Sight: Low And Slow Enumeration and Reconnaissance detection engine..
Low and Slow scans have been the bane if IDS since the genesis of IDS.
Meaningful amounts of historical data traditionally required to detect low
and slow scans of generally cost prohibitive, particularly on busy networks.
Unlike traditional IDS the LASER module does not depend on captured
historical data. The LASER tracks packet types instead and stores only the
number of packets, not the packets themselves. Binary counters can easily
track vast numbers of packets in relatively little space. Packets are
classified by type. Session Layer packets, SYNs, ACKs, RSTs, etc are counted
along with source, destination, and port data. TCP session datagrams are
counted and tracked as well. User customizable algorithms scan the tables
and look for things like a very high ration Session to TCP packets from one
machine, or high ratios to various ports or destination machines.
Optionally, incomplete Session establishment could be tracked or subnetting
information could be entered in the algorithms or the tables for network
segment analysis.

*Load Balancer: Off the shelf technology from Alteon, TopLayer, etc., sends
load balanced data from the Wayback machine preproccessors to the NIDS
sensors. Data streams from selected multihost systems can be sent to
specific sensors or data can be load balanced by protocol and applications
to reduce IDS rule sets and attack proccessing. Data can also be load
balanced by source/destination networks.

*Conflugalizer:. Correlator Detail.
When people in security speak of correlation, they often refer to causality.
The conflugalizor provides event correlation by examining the full sepctrum
of data points to discern the causality of the underlying event by
statistically quantifying the "likeness of fit" to known or discernible
events such as specific attacks or legitamate OS patching by business unit
system administrators. Most attacks have multiple components, but
traditional signatures only "trip" on one, which can lead to false positives
and false negatives. The conflugalizer tracks systems by business unit, OS
versions, maintenance windows, administrative domains and accounts and
windows, and includes this when automatically analyzing system events.
The IDS Event correlation is based on Pearson product-moment correlation
coefficient statistical principles. A correlation co-efficient quantifies
the likeness (co-variance) of data points to something described. If the
observed data points match the object exactly as it is described (such as
all data points fitting the event perfectly, such as all points being on a
target line on an X/Y graph) then the correlation co-efficient is "1" or 100
%, a perfect match. Alternatively, if the data points are a true "scatter"
pattern, there is no correlation, or a correlation co-efficient of "0." If
an attack has hit 80 % of all machines with one patch leveld the behavior of
those machines reflects a known virus, there is a strong correlation of
attack by that virus whether NIDS sensors alarmed on it or not.
If all machines from a business unit, regardless of location, have had
certain core files modified and recently were spoken to by a known SMS
machine, while similar servers from other business units were not effected,
the correlation is strongly in favor of a system patch, even if the list of
files modified are also contained in several virus definitions.
Compound IDS signatures are stored completely, including all activities of
particular attacks such as initial buffer overflow attempt, attempts at
escalation of privilege or application launching, infected machine behavior,
common string data within the attack, etc., New variants of existing attacks
would most likely also be shown as the old attack signature with a slightly
off correlation co-efficient alerting the operator to the possibility an
updated or modified attack in progress. This signature data is for
positives.
Negative data is collected from other systems, such as legitimate SMS
distribution activity, patch or change control planned activity and planned
network and system changes. Suspicious activity is measured for co-variance
with known explanations such as system administration on designated systems
in designated times and co-variance with known attacker behavior. In alerts,
both the best positive correlation are reported and the best negative
correlation given to assist in quick assessment of potential attacks.
Information including virus behaviors, the corporate network, its topology
and deltas, servers, servers by business units, systems administrators and
system administration accounts and time slots are tracked and analyzed in
real time.
Negative data is collected from other systems, such as legitimate SMS
distribution activity; patch or change control planned activity and planned
network and system changes. Suspicious activity is measured for co-variance
with known explanations such as system administration on designated systems
in designated times and co-variance with known attacker behavior. In alerts,
both the best positive correlation are reported and the best negative
correlation given to assist in quick assessment of potential attacks.
The positive/negative and false positive/false negative accuracy of IDS is
dramatically increased over traditional systems, and in the event of an
alarm, the analyst starts with information other companies may not have for
days or weeks in after the fact analysis.
Correlated attack data then feeds the Alarms and Forensic Channel C data
paths.
    Security Descriptors: Security Descriptors forms the heart of advanced
correlation and security capabilities. Traditional signature and definitions
only contain limited information on an attack. General signatures can
sometimes find a variant but litter pagers with false positives and
meaningless data while narrow definitions miss attacks and variants. Neither
provides the information to secure the network from the attack.
    Security Descriptors use normalized data structure to catalog the
complete attack. The vulnerability exploited, the executables launched,
services or processes launched, registry and file modification, the accounts
used, the escalations or deltas in privileges, the code in the attack
itself, the media and method of propagation, log files affected and entries
into the files, the OS's, versions, patch levels vulnerable, and the
applications attacked all go into the Security Descriptors stored within the
Conflugalizer's database.

*SLADAR Targeting and Telemetry System: SLeuth Activity Discovery And
Reconnaissance. When an attack has been identified the SLADAR module
attempts to discover information about the attacking machine(s.) This would
include DNS and network registry of the machine, host network, and ISP, as
well as information about the full IP path.and other ISPs in the path back..
Contact information for the responsible parties would be immediately sent to
the IDS alarm system, the correlator, and added to the Forensic C channel.
Targeting and telemetry data on the host and vulnerable points in the
intermediate network path are transmitted to the GUNS. Out-Of-Band.

*GUNS: Gigabit Upstream Neutralization Systems. In case of a serious
commerce threatening attack, GUNS, with executive authorization and
enabling, would attempt to fire back at the attacking systems and take them
offline. The GUNS would be placed at high bandwidth colo's through the
country. Because the GUNS would be off company network, no company bandwidth
would be consumed by the counter attack. If the company network is
completely disabled, the counter attack can still be completed. The colo
networks would be non-convergently pathed with the enterprise ISP or each
other. and burstable frame CIR rates. The GUNS themselves use gig network
cards to make full use of available bandwidth. In the event there is a need
to actively stop an attacker the GUNS would use the following modules to
interrupt the attacking host's activities.
    Packet Pummeling: Raw Bandwidth: DDOS the DDOSers from off the network
remotely operated GUNS. With multiple high bandwidth colo'd guns most
attacking systems, even in a distributed attacks could be taken off line by
the GUNS by simply flooding the attacker NICs.
    Packet Stream Annihilation: Attack the packet streams . Attack the
network infrastructure carrying the attack with black holing, ICMP
unreachable, TCP resets, forged ICMP quenching, etc.,
    Stack Attacks and OS Assassination: Utilize available information from
the SLADAR system to discover and attempt appropriate attacks against the
attacking host to gain control of it or take it off line,or set DDOSing
machines upon each other..

*Burner: Writes to CD concurrent data channels of detected incidents
including all traffic to host in the five minutes before the attack on the A
channel, cleaned up data stream on the B channel, and alarm data on the C
channel. Data from the B Channel is subject to a five minute delay unless
the HyperDrive is engaged. All data written is time stamped by the system
clock and MD5 stamped

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------