1 / 16

An Approach To Automate a Process of Detecting Unauthorised Accesses

POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER. An Approach To Automate a Process of Detecting Unauthorised Accesses. M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński http://www.man.poznan.pl office@man.poznan.pl. Poznań Supercomputing and Networking Center.

marli
Télécharger la présentation

An Approach To Automate a Process of Detecting Unauthorised Accesses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński http://www.man.poznan.ploffice@man.poznan.pl Poznań Supercomputing and Networking Center

  2. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER The need for a new security tool in open network environments • The value of information processed and stored in computer networks is growing rapidly • Classical approaches of the information security seem to be useless, especially in open network environments • System security is often reached along with a loss of its functionality • The threats to the information security have its sources in software errors • There is insufficient support from software and hardware vendors in the security area

  3. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Intrusion Detection Systems (IDS) - definition The main purpose of such a system is to detect in real time, all kinds of inappropriate user activity such as attempts to breach system integrity or gain unauthorized access to information. Because the intrusion detection process is a complex task, its automation seems to be necessary.

  4. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Intrusion Detection Systems - state of the art Most of currently employed IDS systems: • Detect only known attack scenarios • Try to detect basic anomalies in user and system activity • Use unreliable information source (network) • Offline use of reliable information source (audit log) • Are passive monitors and detectors but no active protectors As for now there are no hybrid Intrusion Detection Systems on the market ready to be put into practice and providing complex security

  5. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Security Maintaining System as a new approach to open network environment security Extension to the intrusion detection model: • New IDS system functionality • Hybrid approach to detection process (anomaly and misuse) • Reliable information source (operating system kernel) • On-line monitoring of system and user activities • Active protection of the system • Global implementation of the security policy in a distributed environment

  6. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Application of the IDS system in an open network environment

  7. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS A useful and effective tool for security maintenance in network environments, where other standard security methods (e.g. network isolation, access restrictions) cannot be used. An approach to automate a process of detecting unauthorised accesses in open network environments.

  8. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS design The VALIS system is designed as a modular architecture: • Flexible to suite the demanded level of security • Scalable • Provides additional functionality The VALIS system is designed to operate in a distributed environment: • Easily adaptable to the operating environment • Partially distributed analysis • Capability to monitor and protect all systems

  9. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS - Main Modules • Information Collecting Moduleruns on each of the protected systems and collects information about their states and user activity • Communication Moduleexchanges data between protected systems and security management stations • Analysis and Decision Modulea basic analysis takes place on each protected system and its extended version on the security management station

  10. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS - Main Modules cont. • Archive Moduleis responsible for storing all important information about the system and user activities in a safe way, which makes it possible to track all changes in the system according to their needs • Response Moduleperforms specific actions in a protected system as a response of the decisions made by the analysis module

  11. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS system architecture

  12. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Analysis and decision modules ESM (Expert System Module) is the main analysis module of the VALIS system. Its purpose is to analyze the information provided by other modules running on client and server systems. Rules make a core part of the decision mechanism and can express: • Management and coordination between all modules • Global system security policy • Detection process support • System attacks detection • Processing of the information obtained from other analysis modules Such an architecture allows the use of parallel, different analysis modules

  13. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Information Collecting modules Information about system state and users activities are retrieved directly from the operating system kernel • Reliability • Full view of protected systems state and its users’ activities • Security • Should not imply any danger to the system and should resist any user manipulation attempt • Efficiency • Should not have big influence on systems performance and do not disturb legal users’ activities • Flexibility • Should provide information about system in the proper format ready for further processing

  14. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Inter-Modules Communication Layer The main task of IMCL is to provide efficient interface between all modules of the VALIS system. The communication protocol has to fulfil the following assumptions: • Flexibility (it can be easily adopted to any network environment) • Trustworthy (it should be reliable and provide high level of security) • Independence (it should be independent of network and operating system)

  15. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER VALIS - sample architecture

  16. POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER Summary • There is a need for security maintaining systems that are not only detecting intrusion attempts but also actively protect against them. • The main features of the VALIS system architecture: • Modular architecture • High level of flexibility • Hybrid approach to detection process (anomaly and misuse) • New functionality along with quality

More Related