APHIDS Agentbased Programmable Hybrid Intrusion Detection System

1
APHIDSAgent-based Programmable Hybrid Intrusion
Detection System

• Steve Wilson, Kapil Singh, Luca Filipozzi

2
Overview

• Introduction
• The Problem
• Previous Approaches to IDS Data Analysis
• Our Approach - APHIDS
• Scenarios
• Conclusions
• Future Work
• Demonstration

3
Introduction

• What is Intrusion Detection?
• Network versus Host versus Hybrid?
• What types of Intrusion Detection Systems exist?
• signature-based approach
• anomaly-based approach
• What are the current Best Practices for system
  administrators?
• Systems Diagram
• What is SNORT?
• What is ARGUS?

4
Introduction System Diagram
5
The Problem

• Current Intrusion Detection Systems
• Are too verbose
• Too many false positives
• Valuable time wasted in investigating these.
• Too many false negatives (i.e. no reports)
• Failure to detect attacks dangerous
• Do not sufficiently correlate data from various
  sources to provide practical information
• The goal is to provide system administrators with
  timely, useful information.

6
Previous Approaches

• IDS log summarisers
• No data correlation
• Still too verbose
• Not real time
• Conventional Centralized Approach
• All logged data from each sensor is transferred
  to a central processing node and then the data is
  correlated
• Too much load on the network
• Too much processing load on the central
  processing node

7
Our Approach - APHIDS

• Agent-based
• Use mobile agents to collect and correlate
  relevant data collected from the IDS log files.
• Programmable (future work)
• Allow for definition of generic analysis tasks.
• Functionality can be altered or augmented by
  applying the generic tasks.
• Hybrid
• Interfaces with network-based IDS (snort, argus)
• Interfaces with host-based IDS (syslog, tripwire,
  etc.)

8
Our Approach Why Agents?

• Agents can move from one node to another and
  exploit the power of multiple computers for
  performing some operations in a distributed and
  coordinated fashion
• Instead of moving large amount of data across a
  network, the agents can process the data at its
  origin and just pass on the results, thus
  significantly reducing the network load
• Being autonomous, agents can continue to work
  even after their creator nodes fail
• No application-level protocol is created by the
  use of agents, so compatibility is provided for
  any agent-based applications

9
Scenarios -- Scenario 1
(2) Stationary Agent responds to snort detecting
a port scan from host A to server B. Mobile
Agent spawned to investigate.
(5) Mobile Agent informs the system
administrators that a user, U, is logged in from
a host, A, that is port scanning other servers.
Response requested.
(1) Attacker port scans HTTP Server
(4) Mobile Agent determines that individual from
host A used username U to login into server.
(3) Mobile Agent determines that host A has made
SSH connections to server C within the last hour.
Continue investigation on Server C.
10
Scenarios -- Scenario 2
(4) Mobile Agent informs the system
administrators that a user, U, has been logging
in more frequently than desired and that his
activities are being logged.
(1) Attacker makes many connections to SSH server
C
(3) Mobile Agent determines that all connections
from host A used the same username, U, to login
into the server. Enable user process accounting
and auditing.
(2) Stationary Agent determines that host A has
made too many connections to server C. Mobile
Agent spawned to investigate.
11
Scenarios Testbed
12
Novelty of Approach

• On their own each system gives simple data.
• Snort tells us port-scan
• Argus logs the network connection activity
• Syslog tells the user activities of those
  accessing the server.
• By correlating the data collected, the agent can
  present a more useful data set to the
  administrator (i.e. user X logged in from IP
  Y, which also launched a port scan).

13
Conclusions

• A novel approach to IDS data analysis was
  developed and implemented using the data
  collected from multiple sensors.
• The system provides useful data to administrators
  that could only be obtained by manual analysis of
  very large data sets, thus taking valuable time.

14
Future Work

• Develop a meta-language to provide a generic tool
  for describing attack scenarios.
• Provide list of Triggers and Tasks, where the
  trigger is the attack description and the tasks
  are the response of our system to this trigger.
• This allows for dynamic extension of the system
  as new triggers are installed.
• Test the performance of our approach in a real
  world environment.

15
Demonstration

• Demonstration setup
• com-cs1 is the server under attack
• com-cs2 is the attackers machine
• com-cs3 is the dual-IDS (argus and snort)
• Steve, the attacker, will
• Make an SSH connection to the server in order to
  have argus log TCP flows from his machine
• Perform a port scan against the server
• Lets see how the system responds.

16

• Thank You !!!