Indra A Peertopeer Approach to Intrusion Detection and Prevention - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Indra A Peertopeer Approach to Intrusion Detection and Prevention

Description:

... IDS network runs a set of Indra daemons. Daemons watch for intrusion activity locally and in ... Indra daemons identified by unique keys generated by admin ... – PowerPoint PPT presentation

Number of Views:158
Avg rating:3.0/5.0
Slides: 12
Provided by: marcel69
Category:

less

Transcript and Presenter's Notes

Title: Indra A Peertopeer Approach to Intrusion Detection and Prevention


1
Indra A Peer-to-peer Approach to Intrusion
Detection and Prevention
  • Ramaprabhu Janakiraman
  • Marcel Waldvogel
  • Qi Zhang

2
Intrusion Detection
  • Intrusion
  • Break-in Unauthorized access to resources and
    data
  • Denial-of-service Use of resources in
    undesirable ways
  • Detection
  • Signature Bad guy's activity different from
    regular users'
  • Detection depends on monitoring system for
    suspicious activity

What happens upon detection?
3
Intrusion Prevention
  • Passive Systems
  • Notify a human agent (system administrator)
  • Response time relatively high, depends on human
    factors
  • Active Systems
  • System automatically takes action to
    contain/eliminate threat
  • Low response times
  • Potential for abuse

We will focus on active systems
4
Collaborative Intrusion Detection
  • Basis
  • Spatial correlation same attacker tries multiple
    hosts
  • Temporal correlation many attackers try same
    attack at once
  • Statistic gt 100 failed attempts for every
    successful crack

5
What is Indra?
  • INDRA Intrusion Detection and Rapid Action
  • Features
  • Distributed, collaborative active intrusion
    detection system
  • Active takes preventive action with low
    response time
  • Collaborative scales well with size of network
  • Uses peer-to-peer mechanisms for group
    communication
  • Ensures secure communication using trust and
    reputation (soon)
  • Extensible to support new services, and fix new
    vulnerabilities
  • Written in Java, so code can execute in secure
    sandbox

6
Peer-to-peer Collaboration
  • Group communication
  • Collaborative IDS need secure group communication
  • IP Multicast cannot be relied on
  • Overlay, or end-system multicast over
    peer-to-peer networks
  • Randomized sending
  • Layer-7 throttling

7
Why is Indra useful?
  • IDS techniques
  • Collaborative scales well with size of network
  • Active takes preventive action with low
    response time
  • Security
  • Uses strong cryptographic primitives for secure
    communication
  • Implemented in Java, code executes in sandbox
  • Communication
  • Variety of communication protocols (TCP/UDP,
    overlay multicast, Java RMI)
  • E-mail gateway enables admin to send patches to
    thousands of vulnerable machines instantly
  • Use existing work on overlay multicast mechanisms
    instead of reinventing the wheel

8
How does Indra work?
  • Indra basics
  • Every node on the IDS network runs a set of Indra
    daemons
  • Daemons watch for intrusion activity locally and
    in peers
  • Report intrusion attempts to peers using the peer
    network
  • Controls access to resources accordingly

9
Indra Layers
10
Trust and Indra
  • Cryptographic primitives
  • Public key cryptography for both security and
    authentication
  • Indra daemons identified by unique keys generated
    by admin
  • Security layer encapsulates cryptographic
    functions
  • Cryptographic primitives
  • Depends on central key server to certify public
    keys
  • Existing PGP key server network may be used
  • Does not scale well with number of nodes
  • Web of trust model
  • Certain nodes have pre-assigned trust
  • Trust for new nodes computed using transitive
    trust relations
  • Heuristics like maximum flow may be used

11
Indra Daemons
  • Watcher
  • Monitors inputs for suspicious activity
  • Existing IDS may be implemented as pluggable
    watcher
  • Listener
  • Gathers warnings from watchers and informs Access
    Controller
  • Central point of information gathering
  • Access Controller
  • Controls access to resources based on advice from
    listener
  • Reporter
  • Reports intrusion attempts to Indra peers
  • Gives Indra distributed functionality
  • Plugin Loader
  • Loads pluggable Watchers, Access Controllers, . .
    .

12
Daemon Architecture
Input 1
Watcher
Input 2
Watcher
Input 3
Watcher
Input 4
Watcher
13
Further Work
  • Practical applications
  • Better interface with existing intrusion
    detection systems
  • Deployment on real systems (Honeypots/-nets?)
  • Peer-to-peer aspects
  • Secure, efficient, reliable P2P group
    communication
  • Randomized rumor-spreading versus deterministic
    multicast
  • Security
  • Refinements of the Web of trust model (Bayesian
    inference)
  • Reputation model
  • Efficiency
  • Stripped version of Indra on constrained nodes
    (routers etc.)
  • Randomized load balancing

14
Related Work
  • Intrusion detection
  • Immunology, epidemic spreading
  • NADIR Distributed data collection and central
    analysis
  • GrIDS, AAFID Distributed and passive
  • CSM, EMERALD Distributed, active, but not
    extensiblepropose ad-hoc communication, not
    peer-to-peer mechanisms
  • Peer-to-peer communications
  • Scribe Publish-subscribe multicast on the Pastry
    P2P network
  • Bayeux Multicast on the Tapestry network
  • AMcast, ALMI
  • Randomized rumor spreading

15
Summary and Current Status
  • Contributions
  • Collaborative and active IDS with support for
    peer-to-peer communication
  • Secure communication by the use of strong
    cryptography
  • Java implementation allows fine-grained access
    control
  • On-the-fly loadable plugins allows rapid fixing
    of vulnerabilities
  • E-mail gateway allows admin to mail plugins
    instantly to multiple machines
  • Status
  • Current prototype version has toy watchers,
    port scanning etc.
  • Needs interfacing with existing intrusion
    detection software, e.g. Tripwire
  • Need to improve efficiency
  • Currently only centralized key server supported

Questions?
Write a Comment
User Comments (0)
About PowerShow.com