Report on Common Intrusion Detection Framework - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Report on Common Intrusion Detection Framework

Description:

Title: Intrusion Detection Inter-component Adaptive Negotiation (IDIAN) Author: abc Last modified by: Edward Chow Created Date: 3/3/2004 7:16:10 PM – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 22
Provided by: abc89
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: Report on Common Intrusion Detection Framework


1
Report on Common Intrusion Detection Framework
  • By
  • Ganesh Godavari

2
Outline of the talk
  • CIDF
  • GIDO
  • GIDO Filters

3
Goal
  • Goal of IDIAN
  • Develop a negotiation protocol that is dynamic
  • Allow distributed collection of heterogeneous ID
    components
  • Provide inter-operate ability to reach agreement
    on ID information processing capability

4
Motivation
  • Understand
  • Common Intrusion Detection Framework
  • Common Intrusion Specification Language (CISL)

5
Scenario 1 a new capability
  • new host machine with detection component is
    added to LAN.
  • Network under connection laundering attack
  • Solution ?

6
solution
  • Analysis component detects the number of inbound
    and outbound connections for the service provided
    by the host.

7
Scenario 2 flooding IDS
  • Stolen company laptop with detection component is
    used to launch an attack.
  • Hacker generate lot of spurious audit data to
    deflect suspicion. Second host is also
    compromised. Generate more audit data and crash
    the central IDS

8
Common Intrusion Detection Framework (CIDF)
  • CIDF architecture
  • Divides IDS into Components
  • Component consists of software code with
    configuration information
  • Components can be added/removed
  • Components interact in real time and exchange
    data using GIDO

9
CIDF components
  • Components
  • Event generators ("E-boxes")
  • Produce GIDOs
  • Event analyzers ("A-boxes")
  • Consume GIDOs
  • Conclusions are turned out as GIDOs
  • Event databases ("D-boxes")
  • store events for later retrieval
  • Response units ("R-boxes")
  • Consume GIDOs
  • Take action like kill process, reset connections

10
Generalized Intrusion Detection Objects (GIDO)
  • GIDO consists of two components
  • Fixed Format header
  • CIDF version, timestamp, and length of body
  • Variable Length Body
  • data

11
GIDO body
Which process detected
Where the attack occurred
  • (ByMeansOf
  • (Attack
  • (Observer (ProcessName StackGuard') )
  • (Target (HostName somehost.someplace.net') )
  • (AttackSpecifics
  • (Certainty 100')
  • (Severity 100')
  • (AttackID 1' 0x4f') )
  • (Outcome (CIDFReturnCode 2') )
  • (When
  • (BeginTime 145736 24 Feb 1999')
  • (EndTime 145736 24 Feb 1999') ) )
  • (ByMeansOf
  • (Execute
  • (Process (ProcessName fingerd') )
  • (When
  • (BeginTime 145736 24 Feb 1999')
  • (EndTime 145736 24 Feb 1999') ) ) ) )

data
Where the attack is targeted at?
Semantic Identifier (SID)
StackGuard is a compiler that emits programs
hardened against "stack smashing" attacks.
12
  • SID is associated with each piece of data in the
    body
  • SID associated with data are called Atom SID
  • Atom SID cannot completely describe an event.
  • Verbs describe events
  • e.g. Attack SID
  • Verb SID has set of Role SIDs which provide
    additional information about the event.
  • e.g. Observer Role provides information about the
    observer of an event.

13
Example
  • V is a verb SID
  • R1 and R2 are role SIDs
  • A1 through A3 are Atom SIDs
  • S-expression
  • (V
  • (R1
  • (A1 data1) (A2 data2)
  • )
  • (R2
  • (A3 data3)
  • )
  • )

Tree Representation
14
IDIAN Components
  • IDIAN architecture components
  • Detection
  • Sensors like audit mechanisms and packet sniffers
  • Record activity
  • Analysis
  • Detect attacks
  • Response
  • Accept commands to take specific action to stop
    attacks

15
IDIAN component Interaction
Recorded Activity
Specific Action Commands
Detection
Analysis
Response
  • Analysis component uses recorded activity to
    detect attacks

16
GIDO Filters
  • GIDO Filter
  • Method of describing a set of GIDOs
  • Use same basic structure as GIDOS
  • Interesting fields identified in the filter can
    easily be extracted from GIDO gt filtering
    unneeded information
  • Major difference between a GIDO and Filter is in
    the body

17
GIDO filter Requirements
  • GIDO filter Requirements
  • Expressive
  • Ability to specify all sets of useful GIDOs
  • Ability to specify sets of hosts, users
  • Precise
  • Ability to determine which GIDOs satisfy a filter
    or not
  • Allow the extraction of particular data values
    from matching GIDOS
  • Filter language must allow for efficient
    implementation of encoding, decoding and matching
    GIDOs to filters
  • Easy to construct filters from existing subsets
    of existing filters
  • Easy to determine if a filter is equivalent to a
    null filter (no matching GIDO)

18
Sample filter
  • (Filter
  • (Fragment
  • (Attack
  • (observer (ProcessName observerexp1))
  • (Target (HostName targetexp2) ) ) )
  • (Permit ByMeansOf)
  • (variables observer target) )
  • GIDO in Figure 1 matches the fragment in Figure
    2, with the variables observer and target
    instantiating to StackGuard' and
    somehost.someplace.net resp.

Specifies piece of GIDO
19
References
  • Intrusion Detection Inter-component Adaptive
    Negotiation
  • Richard Feiertag et al 2000 IEEE Computer
    Networks special issue on intrusion detection
  • A Common Intrusion Specification Language, CIDF
    working group document.
  • Communication in the Common Intrusion Detection
    Framework, CIDF working group document.

20
Negotiation Protocol
  • IDIAN negotiation protocol allows components to
  • Discover the services of other components.
  • Negotiate for the use of those services.
  • Intelligently manage the use of IDS resources by
    components.
  • Dynamically adjust the use of services, perhaps
    in order to respond to changes in the environment.

21
  • Agreement
  • relationship between a producer and a consumer.
  • species a set of services which the producer must
    provide to the consumer.
  • example, an event generator may agree to provide
    a particular set of audit data to an analyzer. At
    a minimum, an agreement must specify the
    producer, consumer, and the set of services to be
    provided.
  • Contract
  • set of agreements, each of which involve the
    same producer and consumer (the partners to the
    contract).
  • exactly one agreement in a contract is in effect.
  • Contract Database
  • set of contracts.
  • Every component has a contract database
    containing all the contracts to which it is a
    partner.
  • Capability Database
  • associates services (e.g., provide IP audit data,
    filter packets, etc.) with the components which
    can provide those services.
  • Each component has a database containing its own
    capabilities and, possibly, those of other
    components.
Write a Comment
User Comments (0)
About PowerShow.com