WO2005026872A2 - Internal lan perimeter security appliance composed of a pci card and complementary software - Google Patents

Internal lan perimeter security appliance composed of a pci card and complementary software Download PDF

Info

Publication number
WO2005026872A2
WO2005026872A2 PCT/IL2004/000849 IL2004000849W WO2005026872A2 WO 2005026872 A2 WO2005026872 A2 WO 2005026872A2 IL 2004000849 W IL2004000849 W IL 2004000849W WO 2005026872 A2 WO2005026872 A2 WO 2005026872A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
card
module
traffic
data
Prior art date
Application number
PCT/IL2004/000849
Other languages
French (fr)
Other versions
WO2005026872A3 (en
Inventor
Raz Raviv
Original Assignee
Terassic-5 Infosec Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Terassic-5 Infosec Ltd filed Critical Terassic-5 Infosec Ltd
Publication of WO2005026872A2 publication Critical patent/WO2005026872A2/en
Publication of WO2005026872A3 publication Critical patent/WO2005026872A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the invention relates to communication networks, and more particularly to a system method and apparatus for providing secure internetworking of LAN using intra- network hardware implementations.
  • Security management systems prevalent in prior art mainly address security at high networking communication layers, primarily on the application or session layer. Although network intrusions occur frequently, most intrusion detection methods disclosed in the prior art are incapable of recognizing intrusions through the lower layers of network communication transmission protocols and hardware connections.
  • IDS Intrusion Detection Systems
  • IDS pure Intrusion Detection Systems
  • IDS compares each packet, which is sniffed off the live network traffic, against the known attack signatures database. In case a match is found, an alert is recorded in a log for later analysis, or propagated to the system administrator via the network.
  • Most current day IDS's contain the ability to send a session-kill signal to a designated border-gateway, such as a router or firewall. In this manner, an entry is added to the gateway's Access Control List, in order to prevent further inbound access from the malicious activity within a specific network session.
  • the most widely used method of terminating a network session at the gateway is carried out by sending both conversing parties an RST packet.
  • This RST packet as defined within the Transmit Control Protocol (TCP) notifies the system currently in session that an error has occurred in the communication flow.
  • TCP Transmit Control Protocol
  • each side of the session is expected to cease communication and flush whatever data has been accumulated within its memory buffer.
  • a third party device In order to invocate a session reset, a third party device must satisfy the following requirements: it must serve as gateway i n between the two conversing parties; it must be trusted by both parties to manage the routing and data transference between them; and it must know the Initial Sequence Number (ISN), and calculate the offset of the packet numbering from the beginning of the session.
  • ISN Initial Sequence Number
  • the gateway may masquerade as party A, whilst sending an RST packet to party B, and vice versa. This enables it to disconnect the TCP session.
  • UDP User Datagram Protocol
  • firewalls In order to handle both UDP and TCP sessions, and maintain the ability to drop any session at request, firewalls sometimes work in what is known as inline mode. In this mode, two different network interfaces are utilized to connect the two sides of the network border. During regular communication flow, packets are routed from one network interface card (NIC) to another whilst the firewall device serves as a regular network bridge.
  • NIC network interface card
  • the 802.1X protocol enables user-authentication to be carried-out, prior to enabling access to the network backbone.
  • EAP Extensible Authentication Protocol
  • the 802.1X protocol enables user-authentication to be carried-out, prior to enabling access to the network backbone.
  • a user attaches to a network switch with the intent of using the network port for communication with the rest of the network, he/she must supply a username/password or a security certificate.
  • an 802.1X server such as RADIUS, must be installed and configured in order to manage a user repository. Since most current intrusion detection systems focus on traffic on network's layer-3 and above, a spoofed IP address can easily pass for a legitimate node on the internal network.
  • ARP Address Resolution Protocol
  • RARP Reversed Address Resolution Protocol
  • the intruder may play the role of a Man-ln-The-Middle (MITM), by reading the misdirected traffic, subsequently retransmitting it to the legitimate destination, thus maintaining transparency.
  • MITM Man-ln-The-Middle
  • Some software systems have the ability to transmit alerts upon the connection of, a previously-unknown Mac address to the network. However, these systems are not able to intercept such attacks, nor are they able to locate the location at which the intrusion has occurred. It is therefore the object of the present invention to provide a network intrusion detection and prevention system (NIDP) based on identification and interception of unauthorized user communication thereof.
  • NIDP network intrusion detection and prevention system
  • the system includes management of network security and access control, while the card activity is transparent to network communication.
  • the system is comprised of a monitoring module for tracking and recording data traffic on all communication layers (layer 2 to layer 7) wherein the data includes port switches, MAC addresses and IP Addresses; a learning module for recognizing anomalous traffic data within standard network signals; an analyzing module for identifying suspicious activity on the local network wherein the analysis is based on fuzzy logic rules which are applied on monitored data and recognized patterns of anomalous traffic data are used; and security module for alerting or activating prevention activities upon detection of suspicious activity.
  • the system also includes a comparison module for checking new transmission data against authorization table of known correlation of IP addresses, port switches and MAC addresses. It prevents eavesdropping for identifying Address Resolution Protocol (ARP) spoofing based on statistical analysis and layer-2 network state monitoring.
  • the eavesdropping prevention module includes a Dynamic Host Configuration Protocol (DHCP) analyzer. The prevention activities include interception of session at application level, denying access to a specific switch block for controllable time interval or completely blocking access through a given switch port.
  • a user interface module provides graphic representations of network traffic wherein abnormal patterns of suspicious communication data are identified.
  • An assessment module receives data from vulnerability assessment tool and improves the monitoring and analysis of network traffic data.
  • a load balancing module is also included, which operates based on analyzed traffic data as well as a defragmentation module for checking the data packets at their original form.
  • a filtering model checks packets headers and filters data packets before reaching any software modules. Filtering is based on source/destination MAC and IP addresses, network ports, switch ports or protocol type data which is stored in the card memory.
  • the system also performs traffic normalization based on bargain-point equilibrium formulas, for achieving a state of relatively fair allocation of bandwidth among network nodes. Bandwidth allocation is based on statistical history data of typical usage of bandwidth per workstation and online behavior of the consumed bandwidth per specific network nodes.
  • Figure 1 is an illustration of prior art
  • FIG. 2 is a schematic illustration of the traffic flow according to the preferred embodiment of the present system
  • FIG. 3 is a block diagram illustrating the high-level design view of hardware modules according to the present invention.
  • the invention includes a monitoring system for tracking and recording data traffic on all communication layers (layer-2 through layer-7) and an analysis module based on fuzzy logic and protocol flow inspection, for identifying any suspicious activity on the local network. It is composed of a hardware network interface, whose presence on the network is invisible to the network users, and of an additional interface issuing session interception signals. Using discriminate functions classing, the system can learn to recognize and differentiate anomalous traffic within standard network signals. Implemented at chip level, fuzzy logic Digital Signal Processing (DSP) technology enables rapid recognition of known and unknown malicious activities within routine network traffic.
  • DSP Digital Signal Processing
  • the system detects masquerading, eavesdropping, scanning, denial-of-service (DoS) attacks and "hacking" attempts.
  • the monitoring system includes the examination of new communication transmissions, correlating IP addresses (Utilizing DHCP Listening), MAC Addresses and port switch with updated table of authorized connections. Unknown or new combinations are marked as possible intrusions.
  • a foreign (out-of-office) network card (NIC) by default cannot connect to the local network unless permission is granted by the manager. Any appearance of a new or a duplicate pair of IP-MAC addresses automatically alerts the system.
  • Address Resolution Protocol (ARP) spoofing is the most widely used method for local network penetration and invisible data communication eavesdropping.
  • the system's intrusion detection module incorporates traditional IDS methods using packet signature matching in real-time, statistical anomaly detection in network traffic flow, as well as proprietary technology for detection of network eavesdropping attempts.
  • the following technologies enable precise correlation of events detection, therefore ensuring mitigation of false positives and false negatives.
  • a packet signature comparison is performed at wire-level implemented in ASIC technology within the PCI adapter. Network traffic passes from Ethernet adapter, through PCI accelerator into the communication bus of the system's appliance.
  • Each TCP/IP packet traveling through the PCI adapter is compared against a database of known intrusion signatures, saved within the PCI adapter's on-board flash memory.
  • DHCP and ARP traffic is monitored at Layer-2 and saved as record tables. It is then compared against pre-configured defaults. In case a spoofed DHCP server, or MAC-IP pair is detected, the system alerts and acts against the offensive node. This mode of operation enables detection and counter-action against data sniffing and/or injection on network backbones, including hubs, switches and routers.
  • the system's fuzzy logic module bases its concept of work upon statistical behavior learning. At its initialization, the module examines patterns of traffic by passively monitoring the network backbone.
  • the sampled patterns are grouped into discriminate clusters of vectors.
  • Each group of vectors characterizes a range of traffic signals which share common frequencies and source/destination as well as other attributes.
  • the clusters may expand and contract according to the convergence and divergence of their essential signals. Once the learning period has been satisfied, any traffic that seems too foreign to be classified within the known clusters triggers an alert. Based on prior academic researches, this method has proven to be effective in detection of network scans, Trojan horses, Denial- of-Service attacks and more.
  • Figure 1 is a schematic illustration of prior art
  • Figure 2 is a schematic diagram of traffic flows according to the preferred embodiment of the present invention.
  • the system 200 performs traffic filtering at the monitoring all network sessions 131, 132 flowing through the network backbone 110 between every two station 121 , 122 on the network.
  • a graphic user interface allows the administrator to define access policies for network stations and servers, identifying each node by its unique MAC address.
  • the system 200 monitors traffic through a NIC interface residing on a hub or a mirroring port 240 of the backbone switch 210.
  • the system is also connected to an active standard full duplex port through which it can send commands.
  • the network node which tries to establish the illegitimate session is automatically routed through the system 200 in order to filter the illegitimate activity, while still allowing the legitimate traffic originating from the same node to pass through.
  • the filtering process is carried out in the following order. First the system 200 detects illegitimate traffic by its MAC and IP address, its port, or by intrusion signatures via an interface residing mirroring port. Then the system 200 identifies the conversing parties 221 , 222, saves their MAC-IP pairings in its memory and begins ARP-Poisoning the two parties by feeding their ARP tables with spoofed MAC-IP pairs.
  • the system may be configured (according to policy) to block or suspend switch ports which are detected as communicating illegal traffic. This is accomplished by continuously monitoring switch ports, in order to detect foreign MAC address connections, virus outbreaks and illegal network activities. Once such port has been identified, the system communicates using Telnet, Secure Shell (SSH) or Simple Network Management Protocol (SNMP) to issue block or suspend port commands to the backbone switch.
  • Telnet Telnet
  • SSH Secure Shell
  • SNMP Simple Network Management Protocol
  • Another mode of operation which is supported by the system is timely information extraction from enterprise switches.
  • the system may use SNMP commands once in a few minutes, in order to investigate whether new MACs have appeared on the sampled switch. In this case there is no need for sniffing; the system may reach remote switches, thus serve as a central Security Operations Center product.
  • Integrating an NIDP appliance and the network backbone enables the system to provide total layer-2 protection from physical intrusion attempts through "hot" network sockets left unmonitored within the office.
  • the system offers protection from internal and external DoS attacks by detecting internal load buildups on specific communication terminals. It identifies the signature pattern of the attacks and records it to prevent similar attacks in future.
  • the proposed system also operates as a hardware performance enhancer.
  • a central network system such as a firewall, a router, a backbone switch, an information processing system (IPS) and the like demonstrate significant improvements in performance, when electronic acceleration is integrated into its core.
  • ASIC Application Specific Integrated Circuit
  • ACL Access Control List
  • header inspection also maintains qualification of each packet to satisfy normal RFC formats (countering XMAS, NULL, FIN and other network scans).
  • An additional feature of the system is that it provides a statistical traffic sampling tool.
  • network traffic is continuously sampled and analyzed for detection of anomalies over the time axis.
  • the PCI adapter carries out the required measurements in parallel to the regular packet-header dissection. This allows seamless work of intrusion-detection, packet filtering and statistical-analysis modules simultaneously.
  • Timely measurements and relative variances are propagated at arbitrary points in time onto the overlying operating system for long-term storage for training and learning about past incidents.
  • the system may provide traffic normalization capabilities. Based on bargain- point equilibrium formulas, the system achieves a state of relatively-fair allocation of bandwidth among network nodes. Unlike traditional Quality of Service systems, the system is not configured with static parameters of bandwidth-quotas. Rather, it utilizes its statistical learning abilities to learn the typical usage of bandwidth per workstation. In cases of suddenly-increased activity, the system may allocate additional network resources for the demanding node, at the expanse of less demanding network nodes at that point in time.
  • FIG. 3 is a block diagram illustrating the principle hardware modules of the system.
  • Information packets 300 from the network flow into the system 200, defragmented at the fragment assembly component 310 and are parsed by the packet parsing 320.
  • Data is then analyzed by the expert system's 330 components: the filter 331 , the IP anti-spoofing component 332 and the string matching accelerator 333.
  • the fuzzy logic engine 340 extrapolates the nature of the current data by relying on the system's statistical accumulated data.
  • the system also includes a load balancing 350 and a network performance accelerator 360 components.
  • DHCP Dynamic Host Configuration Protocol
  • the system further includes a graphic user interface providing the network manager with diagrammatic representations of network traffic.
  • This tool facilitates tracking abnormal communication signals, which may be identified by special patterns.
  • IDS and VA systems depend on continuously updated databases for detecting new types of vulnerabilities and intrusions.
  • the proactive knowledge of potential security breaches within the network is gained using vulnerability detection scanners. Incorporating this information into the enterprise intrusion detection system leverages the awareness to specific immediate dangers due to unpatched and/or misconfigured systems.

Abstract

A system for providing LAN security which operates on communication Layers 2 to 7 is disclosed. The system is comprised of a PCI card which performs the monitoring of the communication on the LAN, statistical analysis of data traffic and implements fuzzy logic and protocol flow inspection for identifying any abnormal and suspicious communication activity. It is composed of a hardware network interface, whose presence on the network is invisible to the network users, and of an additional interface issuing session interception signals. Using discriminate functions classing, the system can learn to recognize and differentiate anomalous traffic within standard network signals. The system is equipped for rapid recognition of known and unknown malicious activities within routine network traffic. Coupled with known protocol flow comparison, the system detects masquerading, eavesdropping, scanning, denial-of-service attacks and 'hacking' attempts. The system also performs network communication flow optimization and hardware performance enhancement.

Description

Internal LAN Perimeter Security Appliance Composed of a PCI Card and complementary software
BACKGROUND The invention relates to communication networks, and more particularly to a system method and apparatus for providing secure internetworking of LAN using intra- network hardware implementations. Security management systems prevalent in prior art mainly address security at high networking communication layers, primarily on the application or session layer. Although network intrusions occur frequently, most intrusion detection methods disclosed in the prior art are incapable of recognizing intrusions through the lower layers of network communication transmission protocols and hardware connections.
Following is a description of the most prevalent securing methods. Traditionally, pure Intrusion Detection Systems (IDS) serve basically as traditional sniffers, hooked onto a database of known intrusion attacks. Basically IDS compares each packet, which is sniffed off the live network traffic, against the known attack signatures database. In case a match is found, an alert is recorded in a log for later analysis, or propagated to the system administrator via the network. Most current day IDS's contain the ability to send a session-kill signal to a designated border-gateway, such as a router or firewall. In this manner, an entry is added to the gateway's Access Control List, in order to prevent further inbound access from the malicious activity within a specific network session. The most widely used method of terminating a network session at the gateway is carried out by sending both conversing parties an RST packet. This RST packet, as defined within the Transmit Control Protocol (TCP) notifies the system currently in session that an error has occurred in the communication flow. Thus, each side of the session is expected to cease communication and flush whatever data has been accumulated within its memory buffer. In order to invocate a session reset, a third party device must satisfy the following requirements: it must serve as gateway i n between the two conversing parties; it must be trusted by both parties to manage the routing and data transference between them; and it must know the Initial Sequence Number (ISN), and calculate the offset of the packet numbering from the beginning of the session. Having satisfied the above requirements, the gateway may masquerade as party A, whilst sending an RST packet to party B, and vice versa. This enables it to disconnect the TCP session. However, a User Datagram Protocol (UDP) session, by definition, is not connection based, and therefore will not be affected by a session reset attempt as described above. In order to handle both UDP and TCP sessions, and maintain the ability to drop any session at request, firewalls sometimes work in what is known as inline mode. In this mode, two different network interfaces are utilized to connect the two sides of the network border. During regular communication flow, packets are routed from one network interface card (NIC) to another whilst the firewall device serves as a regular network bridge. In the event that a session needs to be terminated, all packets belonging to the specific session are dropped at the firewall instead of passing from the external NIC to the internal one. The only requirement for this work mode is that the firewall resides physically in between the two conversing parties, segmenting the two sides into two different networks. Currently there are several networking equipment manufacturers which enable the switch administrator to define a pool of allowed MAC addresses per network port. This allows the administrator to enforce MAC security at the backbone level, preventing unknown NICs from connecting and establishing communication at layer-1. This definition needs to be configured manually per switch, which might be troublesome in certain switches, when working with roaming computers, such as laptops. The 802.1X standard protocol derives its design both from the dial-up and the wireless networking world as a hybrid protocol. Based on the underlying Extensible Authentication Protocol (EAP), the 802.1X protocol enables user-authentication to be carried-out, prior to enabling access to the network backbone. As a user attaches to a network switch with the intent of using the network port for communication with the rest of the network, he/she must supply a username/password or a security certificate. For this aim, an 802.1X server, such as RADIUS, must be installed and configured in order to manage a user repository. Since most current intrusion detection systems focus on traffic on network's layer-3 and above, a spoofed IP address can easily pass for a legitimate node on the internal network. The nature of the Address Resolution Protocol (ARP) and Reversed Address Resolution Protocol (RARP) may be exploited is such manner. Since the ARP has no authentication method implemented according to RFC requirements, any station with physical access to the network backbone may forge its identity. Thus, intruders wishing to masquerade as legitimate network nodes need only connect to a physical port connection in one of the network switches, in order to publish their unique MAC address bound to a legitimate, working IP address of a different computer. As long as the ARP broadcasts keep racing frequencies with the legitimate stations, the network will respond to both seamlessly, as though they were the same station. In this method, the intruder may play the role of a Man-ln-The-Middle (MITM), by reading the misdirected traffic, subsequently retransmitting it to the legitimate destination, thus maintaining transparency. Some software systems have the ability to transmit alerts upon the connection of, a previously-unknown Mac address to the network. However, these systems are not able to intercept such attacks, nor are they able to locate the location at which the intrusion has occurred. It is therefore the object of the present invention to provide a network intrusion detection and prevention system (NIDP) based on identification and interception of unauthorized user communication thereof.
SUMMARY A system for network intrusion detection and prevention which is implemented on PCI chip card is disclosed. The system includes management of network security and access control, while the card activity is transparent to network communication. The system is comprised of a monitoring module for tracking and recording data traffic on all communication layers (layer 2 to layer 7) wherein the data includes port switches, MAC addresses and IP Addresses; a learning module for recognizing anomalous traffic data within standard network signals; an analyzing module for identifying suspicious activity on the local network wherein the analysis is based on fuzzy logic rules which are applied on monitored data and recognized patterns of anomalous traffic data are used; and security module for alerting or activating prevention activities upon detection of suspicious activity. The system also includes a comparison module for checking new transmission data against authorization table of known correlation of IP addresses, port switches and MAC addresses. It prevents eavesdropping for identifying Address Resolution Protocol (ARP) spoofing based on statistical analysis and layer-2 network state monitoring. The eavesdropping prevention module includes a Dynamic Host Configuration Protocol (DHCP) analyzer. The prevention activities include interception of session at application level, denying access to a specific switch block for controllable time interval or completely blocking access through a given switch port. A user interface module provides graphic representations of network traffic wherein abnormal patterns of suspicious communication data are identified. An assessment module receives data from vulnerability assessment tool and improves the monitoring and analysis of network traffic data. A load balancing module is also included, which operates based on analyzed traffic data as well as a defragmentation module for checking the data packets at their original form. A filtering model checks packets headers and filters data packets before reaching any software modules. Filtering is based on source/destination MAC and IP addresses, network ports, switch ports or protocol type data which is stored in the card memory. The system also performs traffic normalization based on bargain-point equilibrium formulas, for achieving a state of relatively fair allocation of bandwidth among network nodes. Bandwidth allocation is based on statistical history data of typical usage of bandwidth per workstation and online behavior of the consumed bandwidth per specific network nodes.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is an illustration of prior art;
Figure 2 is a schematic illustration of the traffic flow according to the preferred embodiment of the present system;
Figure 3 is a block diagram illustrating the high-level design view of hardware modules according to the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The invention includes a monitoring system for tracking and recording data traffic on all communication layers (layer-2 through layer-7) and an analysis module based on fuzzy logic and protocol flow inspection, for identifying any suspicious activity on the local network. It is composed of a hardware network interface, whose presence on the network is invisible to the network users, and of an additional interface issuing session interception signals. Using discriminate functions classing, the system can learn to recognize and differentiate anomalous traffic within standard network signals. Implemented at chip level, fuzzy logic Digital Signal Processing (DSP) technology enables rapid recognition of known and unknown malicious activities within routine network traffic. Coupled with known protocol flow comparison, the system detects masquerading, eavesdropping, scanning, denial-of-service (DoS) attacks and "hacking" attempts. The monitoring system includes the examination of new communication transmissions, correlating IP addresses (Utilizing DHCP Listening), MAC Addresses and port switch with updated table of authorized connections. Unknown or new combinations are marked as possible intrusions. A foreign (out-of-office) network card (NIC) by default cannot connect to the local network unless permission is granted by the manager. Any appearance of a new or a duplicate pair of IP-MAC addresses automatically alerts the system. Address Resolution Protocol (ARP) spoofing is the most widely used method for local network penetration and invisible data communication eavesdropping. This type of intrusion cannot be prevented by most access control systems, especially when operated in combination with MAC spoofing. By keeping both system level and hardware level under surveillance, the syste is able to maintain the network's integrity and to protect it from intrusion by local and foreign ARP spoofing. The system's intrusion detection module incorporates traditional IDS methods using packet signature matching in real-time, statistical anomaly detection in network traffic flow, as well as proprietary technology for detection of network eavesdropping attempts. The following technologies enable precise correlation of events detection, therefore ensuring mitigation of false positives and false negatives. A packet signature comparison is performed at wire-level implemented in ASIC technology within the PCI adapter. Network traffic passes from Ethernet adapter, through PCI accelerator into the communication bus of the system's appliance. Each TCP/IP packet traveling through the PCI adapter is compared against a database of known intrusion signatures, saved within the PCI adapter's on-board flash memory. DHCP and ARP traffic is monitored at Layer-2 and saved as record tables. It is then compared against pre-configured defaults. In case a spoofed DHCP server, or MAC-IP pair is detected, the system alerts and acts against the offensive node. This mode of operation enables detection and counter-action against data sniffing and/or injection on network backbones, including hubs, switches and routers. The system's fuzzy logic module bases its concept of work upon statistical behavior learning. At its initialization, the module examines patterns of traffic by passively monitoring the network backbone. After a period of a few days, the sampled patterns are grouped into discriminate clusters of vectors. Each group of vectors characterizes a range of traffic signals which share common frequencies and source/destination as well as other attributes. During the learning process, the clusters may expand and contract according to the convergence and divergence of their essential signals. Once the learning period has been satisfied, any traffic that seems too foreign to be classified within the known clusters triggers an alert. Based on prior academic researches, this method has proven to be effective in detection of network scans, Trojan horses, Denial- of-Service attacks and more. Figure 1 is a schematic illustration of prior art and Figure 2 is a schematic diagram of traffic flows according to the preferred embodiment of the present invention. In contrast to the prevalent standards, as illustrated in Figure 1 , in which firewall products 130 focus on filtering network traffic traveling between the outbound 110 and inbound 100 connections of a network while the malicious factors 140 may reside inside the network, the system 200 performs traffic filtering at the monitoring all network sessions 131, 132 flowing through the network backbone 110 between every two station 121 , 122 on the network. A graphic user interface allows the administrator to define access policies for network stations and servers, identifying each node by its unique MAC address. At its normal operation, the system 200 monitors traffic through a NIC interface residing on a hub or a mirroring port 240 of the backbone switch 210. The system is also connected to an active standard full duplex port through which it can send commands. In the event of identifying an access violation, the network node which tries to establish the illegitimate session is automatically routed through the system 200 in order to filter the illegitimate activity, while still allowing the legitimate traffic originating from the same node to pass through. The filtering process is carried out in the following order. First the system 200 detects illegitimate traffic by its MAC and IP address, its port, or by intrusion signatures via an interface residing mirroring port. Then the system 200 identifies the conversing parties 221 , 222, saves their MAC-IP pairings in its memory and begins ARP-Poisoning the two parties by feeding their ARP tables with spoofed MAC-IP pairs. These spoofed pairs lead whatever IP that may be looked up to the MAC address of system 200. Whenever one side of the communication 221 tries to establish a session with the other 222, it looks up the ARP table at the backbone 210, and finds the requested IP associated with the MAC of the system 200. From now on all traffic 231 , 232 from both sides is routed to the system 200. The legitimate sessions are routed seamlessly via the system 200, while the illegal sessions' packets are dropped at entrance. In this fashion, only traffic that has been deemed legal may reach its target. Once the illegal communication attempts ceases, the system 200 performs again the ARP process for both poisoned sides by sending ARP packets containing the real MAC- IP addresses. Thus the traffic 231 , 232 continues without having to pass through the system continuously.
In cases where immediate and severe action must be taken against an intruder, the system may be configured (according to policy) to block or suspend switch ports which are detected as communicating illegal traffic. This is accomplished by continuously monitoring switch ports, in order to detect foreign MAC address connections, virus outbreaks and illegal network activities. Once such port has been identified, the system communicates using Telnet, Secure Shell (SSH) or Simple Network Management Protocol (SNMP) to issue block or suspend port commands to the backbone switch. Another mode of operation which is supported by the system is timely information extraction from enterprise switches. The system may use SNMP commands once in a few minutes, in order to investigate whether new MACs have appeared on the sampled switch. In this case there is no need for sniffing; the system may reach remote switches, thus serve as a central Security Operations Center product.
Integrating an NIDP appliance and the network backbone enables the system to provide total layer-2 protection from physical intrusion attempts through "hot" network sockets left unmonitored within the office. The system offers protection from internal and external DoS attacks by detecting internal load buildups on specific communication terminals. It identifies the signature pattern of the attacks and records it to prevent similar attacks in future. The proposed system also operates as a hardware performance enhancer. A central network system such as a firewall, a router, a backbone switch, an information processing system (IPS) and the like demonstrate significant improvements in performance, when electronic acceleration is integrated into its core. As regular PC- based operating systems are limited by resource requirements such as CPU cycles, RAM memory, HD swap space, task-oriented coprocessors are usually developed in the aims of offloading routine tasks from the operating system's resources. Specifically, the system is designed as an Application Specific Integrated Circuit (ASIC) processor implemented within a standard PCI-bus adapter. As traffic flows through the system, several operations are carried out within the coprocessor. Whenever network packets exceed the maximum length possible for handling by a network router, the latter may device one packet into multiple sub-packets which are called fragments. Each fragment is labeled with a sequence number by its respective place in the original packet. Since Intrusion Detection systems need to examine the original packet as it appeared prior to the fragmentation process, these fragments need to be reassembled before entering the signature-database checking module. The system therefore automatically performs packet defragmentation. The system also performs packet filtering. Commonly, within gateway firewalls, an Access Control List (ACL) is produced by the administrative user. Once the ACL has been established, these rules are interpreted into blocking criteria according to source/destination MAC and IP addresses, network ports, switch ports and protocol type. Consequently, network traffic is immediately filtered at entrance to the coprocessor, prior to reaching the software components. This is accomplished by storing an image of the ACL within the PCI card's volatile memory every time the system is brought online. Thus, for each frame traveling through the system's network interface, the above mentioned headers are inspected before allowing the packet to continue into the other modules. Header inspection also maintains qualification of each packet to satisfy normal RFC formats (countering XMAS, NULL, FIN and other network scans). An additional feature of the system is that it provides a statistical traffic sampling tool. As mentioned in regards to the fuzzy logic module, network traffic is continuously sampled and analyzed for detection of anomalies over the time axis. As this is a resource-consuming rigorous task, the PCI adapter carries out the required measurements in parallel to the regular packet-header dissection. This allows seamless work of intrusion-detection, packet filtering and statistical-analysis modules simultaneously. Timely measurements and relative variances are propagated at arbitrary points in time onto the overlying operating system for long-term storage for training and learning about past incidents. Finally the system may provide traffic normalization capabilities. Based on bargain- point equilibrium formulas, the system achieves a state of relatively-fair allocation of bandwidth among network nodes. Unlike traditional Quality of Service systems, the system is not configured with static parameters of bandwidth-quotas. Rather, it utilizes its statistical learning abilities to learn the typical usage of bandwidth per workstation. In cases of suddenly-increased activity, the system may allocate additional network resources for the demanding node, at the expanse of less demanding network nodes at that point in time. In cases of virus outbursts, flood attempts and denial-of-service attacks against unique resources within the network, the system intrudes and decreases the bandwidth being consumed by the specific network nodes. Figure 3 is a block diagram illustrating the principle hardware modules of the system. Information packets 300 from the network flow into the system 200, defragmented at the fragment assembly component 310 and are parsed by the packet parsing 320. Data is then analyzed by the expert system's 330 components: the filter 331 , the IP anti-spoofing component 332 and the string matching accelerator 333. The fuzzy logic engine 340 extrapolates the nature of the current data by relying on the system's statistical accumulated data. The system also includes a load balancing 350 and a network performance accelerator 360 components. Analysis results are presented on the system's interface 370. Data packets are then returned to the network 380. Since the system's eavesdropping detection at layer-2 depends on keeping track of MAC-IP pair changes within the network traffic, a Dynamic Host Configuration Protocol (DHCP) analyzer serves as an integral unit within the eavesdropping detection module. At its initial operation, the system learns the address of the legitimate DHCP server within the network. This prevents DHCP spoofing attempts by confusing the network nodes and the system. As new DHCP requests are made by clients, and new IP addresses are issued by the DHCP server to arbitrary MAC addresses, Prometheus seamlessly updates its MAC-IP tables in order to maintain the correct links between N1CS and issued IP addresses. The system further includes a graphic user interface providing the network manager with diagrammatic representations of network traffic. This tool facilitates tracking abnormal communication signals, which may be identified by special patterns. As the intrusion detection and vulnerability assessment fields become complementary to each other, a need for correlation arises in enterprise environments. Both IDS and VA systems depend on continuously updated databases for detecting new types of vulnerabilities and intrusions. The proactive knowledge of potential security breaches within the network is gained using vulnerability detection scanners. Incorporating this information into the enterprise intrusion detection system leverages the awareness to specific immediate dangers due to unpatched and/or misconfigured systems. By prioritizing actual vulnerabilities found within the internal network at the top of the intrusion detection database, based on prevalence of certain vulnerabilities, target IP addresses and monitored traffic, the system's intrusion detection technology is able to focus on the more probable dangers. Once correlation has been made between occurrence and direction of traffic, and vulnerability assessment results (possibly by 3rd party products), percentage of false positive and false negative detections may be reduced significantly. All applications and features described above are integrated within a standard PCI chip card which is located in a standard PC machine, such as Sun Blades, Intel Motherboards, Motorola PMC's and the like. Such implementation provides an efficient high security service quality.

Claims

What is claimed is:
1. A PCI chip card for network intrusion detection and prevention including management of network security and access control, wherein the card activity is transparent to network communication, said card comprised of: - monitoring module for tracking and recording data traffic on all communication layers (layer 2) wherein the data includes port switches, MAC addresses and IP Addresses; - learning module for recognizing anomalous traffic data within standard network signals; - analyzing module for identifying suspicious activity on the local network wherein the analysis is based on fuzzy logic rules which are applied on monitored data wherein recognized patterns of anomalous traffic data are used; - security module for alerting or activating prevention activities upon detection of suspicious activity.
2. The card of claim 1 further comprising a comparison module for checking new transmission data against authorization table of known correlation of IP addresses, port switches and MAC addresses.
3. The card of claim 1 further comprising eavesdropping prevention module for identifying Address Resolution Protocol (ARP) spoofing based on statistical analysis and layer-2 network state monitoring.
4. The card of claim 3 wherein the eavesdropping prevention module include a Dynamic Host Configuration Protocol (DHCP) analyzer.
5. The card of claim 1 wherein the prevention activities include interception of session at application level.
6. The card of claim 1 wherein the prevention activities include denying access to a specific switch block for controllable time interval or completely blocking access through a given switch port.
7. The card of claim 1 further comprising load balancing module based on analyzed traffic data.
8. The card of claim 1 further comprising a user interface module for providing graphic representations of network traffic wherein abnormal patterns of suspicious communication data are identified.
9. The card of claim 1 further comprising an assessment module for interfacing vulnerability assessment tool and improving the monitoring and analysis of network traffic data.
10. The card of claim 1 further comprising a defragmentation module for checking the data packets at their original form.
11. The card of claim 1 further comprising filtering model for checking packets headers enabling to filter data packets before reaching any software modules, wherein the filtering is based on source/destination MAC and IP addresses, network ports, switch ports or protocol type data stored in the card memory.
12. The card of claim 1 further comprising a traffic normalization module based on bargain-point equilibrium formulas, for achieving a state of relatively fair allocation of bandwidth among network nodes, wherein allocation is based on statistical history data of typical usage of bandwidth per workstation and online behavior of the consumed bandwidth per specific network nodes.
PCT/IL2004/000849 2003-09-16 2004-09-14 Internal lan perimeter security appliance composed of a pci card and complementary software WO2005026872A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US50294003P 2003-09-16 2003-09-16
US60/502,940 2003-09-16

Publications (2)

Publication Number Publication Date
WO2005026872A2 true WO2005026872A2 (en) 2005-03-24
WO2005026872A3 WO2005026872A3 (en) 2005-05-19

Family

ID=34312424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2004/000849 WO2005026872A2 (en) 2003-09-16 2004-09-14 Internal lan perimeter security appliance composed of a pci card and complementary software

Country Status (1)

Country Link
WO (1) WO2005026872A2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603716B2 (en) 2004-02-13 2009-10-13 Microsoft Corporation Distributed network security service
US7716727B2 (en) 2004-10-29 2010-05-11 Microsoft Corporation Network security device and method for protecting a computing device in a networked environment
US7716726B2 (en) 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7814543B2 (en) 2004-02-13 2010-10-12 Microsoft Corporation System and method for securing a computer system connected to a network from attacks
US7929689B2 (en) 2004-06-30 2011-04-19 Microsoft Corporation Call signs
US8086842B2 (en) 2006-04-21 2011-12-27 Microsoft Corporation Peer-to-peer contact exchange
US8417993B2 (en) 2007-06-21 2013-04-09 Microsoft Corporation Fuzz testing and attack-surface scoping for URI handlers and pluggable protocols
CN104468211A (en) * 2014-12-02 2015-03-25 中广核工程有限公司 Nuclear power station numerical control system platform communication failure diagnostic system and method
US9665458B2 (en) 2011-06-01 2017-05-30 Data Security Solutions, Llc Method and system for providing information from third party applications to devices
CN111885068A (en) * 2020-07-28 2020-11-03 杭州默安科技有限公司 Bypass deployment traffic distribution method and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8261062B2 (en) 2003-03-27 2012-09-04 Microsoft Corporation Non-cryptographic addressing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6292838B1 (en) * 1999-08-23 2001-09-18 3Com Corporation Technique for automatic remote media access control (MAC) layer address resolution
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
US20020107953A1 (en) * 2001-01-16 2002-08-08 Mark Ontiveros Method and device for monitoring data traffic and preventing unauthorized access to a network
US20030009540A1 (en) * 2001-06-29 2003-01-09 International Business Machines Corporation Method and system for presentation and specification of distributed multi-customer configuration management within a network management framework

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
US6292838B1 (en) * 1999-08-23 2001-09-18 3Com Corporation Technique for automatic remote media access control (MAC) layer address resolution
US20020107953A1 (en) * 2001-01-16 2002-08-08 Mark Ontiveros Method and device for monitoring data traffic and preventing unauthorized access to a network
US20030009540A1 (en) * 2001-06-29 2003-01-09 International Business Machines Corporation Method and system for presentation and specification of distributed multi-customer configuration management within a network management framework

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603716B2 (en) 2004-02-13 2009-10-13 Microsoft Corporation Distributed network security service
US7716726B2 (en) 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7814543B2 (en) 2004-02-13 2010-10-12 Microsoft Corporation System and method for securing a computer system connected to a network from attacks
US7929689B2 (en) 2004-06-30 2011-04-19 Microsoft Corporation Call signs
US7716727B2 (en) 2004-10-29 2010-05-11 Microsoft Corporation Network security device and method for protecting a computing device in a networked environment
US8086842B2 (en) 2006-04-21 2011-12-27 Microsoft Corporation Peer-to-peer contact exchange
US8417993B2 (en) 2007-06-21 2013-04-09 Microsoft Corporation Fuzz testing and attack-surface scoping for URI handlers and pluggable protocols
US9665458B2 (en) 2011-06-01 2017-05-30 Data Security Solutions, Llc Method and system for providing information from third party applications to devices
CN104468211A (en) * 2014-12-02 2015-03-25 中广核工程有限公司 Nuclear power station numerical control system platform communication failure diagnostic system and method
CN111885068A (en) * 2020-07-28 2020-11-03 杭州默安科技有限公司 Bypass deployment traffic distribution method and system
CN111885068B (en) * 2020-07-28 2022-11-15 杭州默安科技有限公司 Bypass deployment traffic distribution method and system

Also Published As

Publication number Publication date
WO2005026872A3 (en) 2005-05-19

Similar Documents

Publication Publication Date Title
US7610375B2 (en) Intrusion detection in a data center environment
US9094372B2 (en) Multi-method gateway-based network security systems and methods
US7451489B2 (en) Active network defense system and method
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
US20180091547A1 (en) Ddos mitigation black/white listing based on target feedback
US20030188189A1 (en) Multi-level and multi-platform intrusion detection and response system
CN108809970B (en) Safety protection method of intelligent home security gateway
US20070294759A1 (en) Wireless network control and protection system
Hijazi et al. Address resolution protocol spoofing attacks and security approaches: A survey
US7596808B1 (en) Zero hop algorithm for network threat identification and mitigation
Scarfone et al. Intrusion detection and prevention systems
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
KR20020072618A (en) Network based intrusion detection system
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
Kamal et al. Analysis of network communication attacks
Nasser et al. An Effective Approach to Detect and Prevent ARP Spoofing Attacks on WLAN
Keromytis et al. Designing firewalls: A survey
Pir Intrusion detection techniques and open source intrusion detection (IDS) tools
US11539741B2 (en) Systems and methods for preventing, through machine learning and access filtering, distributed denial of service (“DDoS”) attacks originating from IoT devices
Faheem Multiagent-based security for the wireless LAN
Hooper An intelligent detection and response strategy to false positives and network attacks: operation of network quarantine channels and feedback methods to IDS
Nakato Networks security: attacks and defense mechanism by designing an intelligent firewall agent
Khan Critical Study and Survey of IDS form Malicious Activities using SNORT
Alimi Effective Multi-Layer Security for Campus Network
Agrawal et al. Analysis of Intrusion Detection System Using Trusted Clients

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BW BY BZ CA CH CN CO CR CU CZ DK DM DZ EC EE EG ES FI GB GD GE GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MK MN MW MX MZ NA NI NO NZ PG PH PL PT RO RU SC SD SE SG SK SY TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SZ TZ UG ZM ZW AM AZ BY KG MD RU TJ TM AT BE BG CH CY DE DK EE ES FI FR GB GR HU IE IT MC NL PL PT RO SE SI SK TR BF CF CG CI CM GA GN GQ GW ML MR SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
122 Ep: pct application non-entry in european phase