External Routing Intrusion Detection System (ERIDS)

Contract Number: F30602-98-c-0242

PI(s): Stephen T. Kent, Luis A. Sanchez

Objective

To develop an External Routing Intrusion Detection System (ERIDS) capable of providing Network Operation Centers (NOCs) with information indicating incorrect operation of BGPv4 due to malicious attacks or mis-configurations. ERIDS MUST leverage on the existing routing infrastructure and MUST demonstrate backward compatibility with existent networking gear and legacy systems.

Approach

The first step in realizing ERIDS involves the development of a sound architecture that demonstrates how the system is capable of: 1) collecting BGPv4 messages; 2) analyzing the messages by decoding the data payload; 3) comparing the messages to the routing information contained in the routing policy database(s); and, 4) detecting specific intrusion events.

The second step in the development of ERIDS entails the design of intrusion detection probes, an intrusion detection engine combined with the tools needed to request and retrieve information in a secured fashion from the routing policy database. ERIDS requires the development of intrusion probes capable of obtaining BGPv4 messages, compress them and transmit them to a remote Detection Engine for analysis. ERIDS further requires the development of a Detection Engine capable of comparing BGPv4 messages to the routing information contained in the routing policy database(s) for the Autonomous Systems involved in peering sessions in order to detect intrusion events. The engine validates the messages by comparing the messages to the explicit routing policies specified by the owner of the autonomous system. Once the system detects an event, it generates the appropriate responses to the events including alert messages for Network Operation Centers.

The last step in the development of ERIDS is the implementation phase. The goal of this phase is to produce a deployable implementation of the Intrusion Detection Probes, the Intrusion Detection Engine and the database accessing tools. Several key issues that come into consideration during this phase such as system performance, data volume, database calibration and consistency will be addressed and the system will be tested before transferring the technology to the community.

Figure 1.0 Components and information flow of the External Intrusion Detection System

Current Plan:

• Define possible BGP-4 intrusion events, and determine which ones are detectable by the system.
• Define the detection analysis rules.
• Design the Intrusion Probes, the Intrusion Detection Engine and the Database Accessing Tools.
• Develop a deployable proof-of-concept prototype. The prototype will include the Intrusion Probes, The Intrusion Detection Engine and the Database Access Tools.
• Publish architecture/design documents and release code to the community.

Schedule of Milestones