1 / 21

Report on Common Intrusion Detection Framework

Report on Common Intrusion Detection Framework. By Ganesh Godavari. Outline of the talk. CIDF GIDO GIDO Filters. Goal. Goal of IDIAN Develop a negotiation protocol that is dynamic Allow distributed collection of heterogeneous ID components

matty
Télécharger la présentation

Report on Common Intrusion Detection Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Report on Common Intrusion Detection Framework By Ganesh Godavari

  2. Outline of the talk • CIDF • GIDO • GIDO Filters

  3. Goal • Goal of IDIAN • Develop a negotiation protocol that is dynamic • Allow distributed collection of heterogeneous ID components • Provide inter-operate ability to reach agreement on ID information processing capability

  4. Motivation • Understand • Common Intrusion Detection Framework • Common Intrusion Specification Language (CISL)

  5. Scenario 1: a new capability new host machine with detection component is added to LAN. Network under connection laundering attack Solution ?

  6. solution • Analysis component detects the number of inbound and outbound connections for the service provided by the host.

  7. Scenario 2: flooding IDS Stolen company laptop with detection component is used to launch an attack. Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS

  8. Common Intrusion Detection Framework (CIDF) • CIDF architecture • Divides IDS into Components • Component consists of software code with configuration information • Components can be added/removed • Components interact in real time and exchange data using GIDO

  9. CIDF components • Components • Event generators ("E-boxes") • Produce GIDOs • Event analyzers ("A-boxes") • Consume GIDOs • Conclusions are turned out as GIDOs • Event databases ("D-boxes") • store events for later retrieval • Response units ("R-boxes") • Consume GIDOs • Take action like kill process, reset connections

  10. Generalized Intrusion Detection Objects (GIDO) • GIDO consists of two components • Fixed Format header • CIDF version, timestamp, and length of body • Variable Length Body • data

  11. GIDO body Which process detected Where the attack occurred (ByMeansOf (Attack (Observer (ProcessName `StackGuard') ) (Target (HostName `somehost.someplace.net') ) (AttackSpecifics (Certainty `100') (Severity `100') (AttackID `1' `0x4f') ) (Outcome (CIDFReturnCode `2') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) (ByMeansOf (Execute (Process (ProcessName `fingerd') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) ) ) data Where the attack is targeted at? Semantic Identifier (SID) StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.

  12. SID is associated with each piece of data in the body • SID associated with data are called Atom SID • Atom SID cannot completely describe an event. • Verbs describe events • e.g. Attack SID • Verb SID has set of Role SIDs which provide additional information about the event. • e.g. Observer Role provides information about the observer of an event.

  13. Example V is a verb SID R1 and R2 are role SIDs A1 through A3 are Atom SIDs S-expression (V (R1 (A1 data1) (A2 data2) ) (R2 (A3 data3) ) ) Tree Representation

  14. IDIAN Components • IDIAN architecture components • Detection • Sensors like audit mechanisms and packet sniffers • Record activity • Analysis • Detect attacks • Response • Accept commands to take specific action to stop attacks

  15. IDIAN component Interaction • Analysis component uses recorded activity to detect attacks Recorded Activity Specific Action Commands Detection Analysis Response

  16. GIDO Filters • GIDO Filter • Method of describing a set of GIDOs • Use same basic structure as GIDOS • Interesting fields identified in the filter can easily be extracted from GIDO => filtering unneeded information Major difference between a GIDO and Filter is in the body

  17. GIDO filter Requirements • GIDO filter Requirements • Expressive • Ability to specify all sets of useful GIDOs • Ability to specify sets of hosts, users • Precise • Ability to determine which GIDOs satisfy a filter or not • Allow the extraction of particular data values from matching GIDOS • Filter language must allow for efficient implementation of encoding, decoding and matching GIDOs to filters • Easy to construct filters from existing subsets of existing filters • Easy to determine if a filter is equivalent to a null filter (no matching GIDO)

  18. Sample filter (Filter (Fragment (Attack (observer (ProcessName ‘observer:exp1’)) (Target (HostName ‘target:exp2) ) ) ) (Permit ‘ByMeansOf’) (variables ‘observer’ ‘target’) ) • GIDO in Figure 1 matches the fragment in Figure 2, with the variables observer and target instantiating to `StackGuard' and `somehost.someplace.net‘ resp. Specifies piece of GIDO

  19. References • Intrusion Detection Inter-component Adaptive Negotiation • Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection • A Common Intrusion Specification Language, CIDF working group document. • Communication in the Common Intrusion Detection Framework, CIDF working group document.

  20. Negotiation Protocol • IDIAN negotiation protocol allows components to • Discover the services of other components. • Negotiate for the use of those services. • Intelligently manage the use of IDS resources by components. • Dynamically adjust the use of services, perhaps in order to respond to changes in the environment.

  21. Agreement • relationship between a producer and a consumer. • species a set of services which the producer must provide to the consumer. • example, an event generator may agree to provide a particular set of audit data to an analyzer. At a minimum, an agreement must specify the producer, consumer, and the set of services to be provided. Contract • set of agreements, each of which involve the same producer and consumer (the partners to the contract). • exactly one agreement in a contract is in effect. Contract Database • set of contracts. • Every component has a contract database containing all the contracts to which it is a partner. Capability Database • associates services (e.g., provide IP audit data, filter packets, etc.) with the components which can provide those services. • Each component has a database containing its own capabilities and, possibly, those of other components.

More Related