Title: Discovery Coordinator Services in Security Service Desk
1Discovery Coordinator Services in Security
Service Desk
Security Service Desk
Discovery Coordinator
Authori- zation Manager
Response Selector
GIDOs
Security Service Desk Common Backplane
GIDOs
Object Mgmt DB
Display Manager
Decision Engine
Network Manager
Encrypted GIDOs
Sockets
VPN
VPN
or
Communication (e.g. Network Layer)
9 Sep 1998
2Discovery Coordinator / Security Service Desk
Functions
Policy Projector
The purpose of the policy projector is to receive
qualitative policy from the SSD Policy Server,
transform it into qualitative policy, taking into
account the mission and each assigned operation
with their associated information assets and
produce a reviewable, editable quantitative
policy. The quantitative policy is then projected
(distributed) to intrusion detection response
components including the following Intrusion
Correlator(s) Response Recommendation
Engine(s) Response Selector Intrusion
Detector(s) Intrusion Responder(s)
Intrusion Correlator
The purpose of the intrusion correlator is to
receive descriptions of "out of the ordinary"
network events from distributed intrusion
detectors and produce summaries of (potential)
attacks. Two types of correlators are identified
"statistical" and "signature". Statistical
correlators measure network activity to establish
a baseline of "normal" activity as a function of
time, and activity type. Signature correlators
identify potential intrusions based on a
signature that may include dynamic measures and
known packet contents.
Response Recommendation Engines
The purpose of the Response Recommendation Engine
is to receive statements of intrusions and based
on the current network topology and type of
intrusion, produce possible valid responses.
9 Sep 1998
3Discovery Coordinator / Security Service Desk
Functions Cont.
Response Selector
The response selection engine receives inputs
from all Suggestion Engines within the scope of
the Discovery Coordinator. The response
recommendation engine applies a weight to each
input and using the current network topology and
current response policy selects the response that
minimizes impact on the missions and supported
operations. The response selector is also aware
of the status of the Discovery coordinator. If
the Response Selector detects that the Discovery
Coordinator operation has been compromised in any
way, as indicated by DC_Not OK, then . . .
If the Response Selector detects that the
Security Service Desk operation has been
compromised in any way, as indicated by SSD_Not
OK, then if the Backup_SSD has been
defined, the Response Selector establishes itself
with the Backup_SSD and messages from
the former primary SSD are ignored.
Log Query
The Log Query provides the capability to request
a search of the Discovery Coordinator Log based
on event types and / or time periods. The Log
Query also provides the capability to request
periodic reports as a function of event type be
sent to a system asset.
Backplane Server
The backplane server provides common services
required by Discovery Coordinator applications
including
(i) Process registration (v) Response
Formatting (ii) Host registration
(vi) Logging (iii) Command Routing (vii)
Event Triggering (iv) Health Monitoring
(viii) Time Triggering
9 Sep 1998
4Discovery Coordinator Functions
Context and Top Level Flow
Object Base GUI
Security Administrator Adjustments
Editable IDR Policy Coordination Numerical
Weighting Parms
ODB API
Object Base GUI
Local Domain Topology
ODB API
IDR Coord. Parameters (As GIDOs)
Downloaded Intrusion Detection and Response
Policy Commands (2), (3),(4), (5), (6)
NwM API
Refined Numerical Weighting and
Response Policy
Response Authorization
Intrusion Responses (As GIDOs)
Heartbeat with InfoCon State and Slide Bar (1)
DC API
Query Responses
To Situation Awareness Component
Recommended Intrusion Response
Produce Response Recommendations
Correlate Intrusions
Response Selector
Attack Summary
Valid, Reasonable Responses
DC API
Policy Manager
Decision Engine
GrIDS
Intrusion Response Situation Display
Cost Model
NwM API
Intrusion Descriptions (As GIDOs)
Intrusion Detection Situation Display
(i) Process registration (v) Response
Formatter (ii) Host registration (vi)
Logger (iii) Command Routing (vii) Event
Trigger (iv) Health Monitor (viii) Time
Trigger
Backplane Server
Object Base GUI
ODB API
Event Trigger Requests (7)
Service Layer
Report_Requests (8)
Examine Log Cmds (9)
9 Sep 1998
5Discovery Coordinator Architecture
Application Layer
Response Selector
Intrusion Correlator(s)
DC Policy Projector
ODBAPI
DC API
(i) Process registration (v) Response
Formatter (ii) Host registration (vi)
Logger (iii) Command Routing (vii) Event
Trigger (iv) Health Monitor (viii)
Time Trigger
DC Backplane Server
Service Layer
???
???
(i) Reliable Transport, (ii) Cryptographic
authentication of nodes (iii) Privacy
(Encryption)
CIDF /IDIP Engine
SSD Supplied Assurance protocols
Message Layer
Sockets
Communication (e.g. Network Layer) with/ without
VPN
Note For the other SSD modules to communicate
with DC modules (of the SSD), this architecture
requires that (1) the SSD use the DC Backplane
services and (2) the SSD use either the CIDF /
IDIP Engine or another mutually agreeable Message
layer which provides (i) Reliable Transport,
(ii) Cryptographic authentication of nodes, and
(iii) Privacy (Encryption).
Indicated pluggable components such as GrIDS,
Emerald, . . .
9 Sep 1998